dbaba294a0c6160c6d3e664008e54e41d1701f24086762cb811906419d087842

Analysis

max time kernel
128s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe
Size

17KB
MD5

aeb6358ae61adad0355511798bbbbc78
SHA1

f0e190f821c4aeeae92a44277d48b1d9a0e9dc1a
SHA256

dbaba294a0c6160c6d3e664008e54e41d1701f24086762cb811906419d087842
SHA512

a26daef68a9c48b43d9d7a183a2c6eab989d8d751aabe7ec7de77c005d31d20247c91a66e593e95fe388cb9b7ff2c3514d9cc2256e04ced3448bec45968f5750
SSDEEP

384:1f3tbXrxjdYKcozbY8PqBKn3xraKJ2L4m84pfXKV+:xtZdSoVqBK3nJNSpXR

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\hapdrv.sys	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
4876	MMKAFNFW1076.exe
2760	MMKAFNFW1076.exe
3512	MMKAFNFW1076.exe
4908	MMKAFNFW1076.exe
1320	MMKAFNFW1076.exe
2312	MMKAFNFW1076.exe
1820	MMKAFNFW1076.exe
4740	MMKAFNFW1076.exe
2404	MMKAFNFW1076.exe
4444	MMKAFNFW1076.exe
3052	MMKAFNFW1076.exe
2728	MMKAFNFW1076.exe
2664	MMKAFNFW1076.exe
1596	MMKAFNFW1076.exe
4340	MMKAFNFW1076.exe
4120	MMKAFNFW1076.exe
3676	MMKAFNFW1076.exe
2828	MMKAFNFW1076.exe
3692	MMKAFNFW1076.exe
4632	MMKAFNFW1076.exe
3292	MMKAFNFW1076.exe
3220	MMKAFNFW1076.exe
2432	MMKAFNFW1076.exe
5040	MMKAFNFW1076.exe
2296	MMKAFNFW1076.exe
3080	MMKAFNFW1076.exe
4584	MMKAFNFW1076.exe
1908	MMKAFNFW1076.exe
3896	MMKAFNFW1076.exe
1596	MMKAFNFW1076.exe
4340	MMKAFNFW1076.exe
4464	MMKAFNFW1076.exe
3352	MMKAFNFW1076.exe
3388	MMKAFNFW1076.exe
1932	MMKAFNFW1076.exe
2760	MMKAFNFW1076.exe
2092	MMKAFNFW1076.exe
3216	MMKAFNFW1076.exe
1860	MMKAFNFW1076.exe
4340	MMKAFNFW1076.exe
804	MMKAFNFW1076.exe
1596	MMKAFNFW1076.exe
2928	MMKAFNFW1076.exe
1040	MMKAFNFW1076.exe
4340	MMKAFNFW1076.exe
3152	MMKAFNFW1076.exe
1164	MMKAFNFW1076.exe
5136	MMKAFNFW1076.exe
5232	MMKAFNFW1076.exe
5464	MMKAFNFW1076.exe
5516	MMKAFNFW1076.exe
5596	MMKAFNFW1076.exe
5712	MMKAFNFW1076.exe
5812	MMKAFNFW1076.exe
5924	MMKAFNFW1076.exe
6032	MMKAFNFW1076.exe
6108	MMKAFNFW1076.exe
5244	MMKAFNFW1076.exe
5396	MMKAFNFW1076.exe
5628	MMKAFNFW1076.exe
5712	MMKAFNFW1076.exe
5912	MMKAFNFW1076.exe
6084	MMKAFNFW1076.exe
5180	MMKAFNFW1076.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	MMKAFNFW1076.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMKAFNFW1076.exe	attrib.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MMKAFNFW1076.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MMKAFNFW1076.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MMKAFNFW1076.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MMKAFNFW1076.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe
3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe
3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe
3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe
3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe
3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe
3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe
3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe
4876	MMKAFNFW1076.exe
4876	MMKAFNFW1076.exe
4876	MMKAFNFW1076.exe
4876	MMKAFNFW1076.exe
4876	MMKAFNFW1076.exe
4876	MMKAFNFW1076.exe
4876	MMKAFNFW1076.exe
4876	MMKAFNFW1076.exe
2760	MMKAFNFW1076.exe
2760	MMKAFNFW1076.exe
2760	MMKAFNFW1076.exe
2760	MMKAFNFW1076.exe
2760	MMKAFNFW1076.exe
2760	MMKAFNFW1076.exe
2760	MMKAFNFW1076.exe
2760	MMKAFNFW1076.exe
3512	MMKAFNFW1076.exe
3512	MMKAFNFW1076.exe
3512	MMKAFNFW1076.exe
3512	MMKAFNFW1076.exe
3512	MMKAFNFW1076.exe
3512	MMKAFNFW1076.exe
3512	MMKAFNFW1076.exe
3512	MMKAFNFW1076.exe
4908	MMKAFNFW1076.exe
4908	MMKAFNFW1076.exe
4908	MMKAFNFW1076.exe
4908	MMKAFNFW1076.exe
4908	MMKAFNFW1076.exe
4908	MMKAFNFW1076.exe
4908	MMKAFNFW1076.exe
4908	MMKAFNFW1076.exe
1320	MMKAFNFW1076.exe
1320	MMKAFNFW1076.exe
1320	MMKAFNFW1076.exe
1320	MMKAFNFW1076.exe
1320	MMKAFNFW1076.exe
1320	MMKAFNFW1076.exe
1320	MMKAFNFW1076.exe
1320	MMKAFNFW1076.exe
2312	MMKAFNFW1076.exe
2312	MMKAFNFW1076.exe
2312	MMKAFNFW1076.exe
2312	MMKAFNFW1076.exe
2312	MMKAFNFW1076.exe
2312	MMKAFNFW1076.exe
2312	MMKAFNFW1076.exe
2312	MMKAFNFW1076.exe
1820	MMKAFNFW1076.exe
1820	MMKAFNFW1076.exe
1820	MMKAFNFW1076.exe
1820	MMKAFNFW1076.exe
1820	MMKAFNFW1076.exe
1820	MMKAFNFW1076.exe
1820	MMKAFNFW1076.exe
1820	MMKAFNFW1076.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 4876	3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe	84
PID 3960 wrote to memory of 4876	3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe	84
PID 3960 wrote to memory of 4876	3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe	84
PID 3960 wrote to memory of 1952	3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe	85
PID 3960 wrote to memory of 1952	3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe	85
PID 3960 wrote to memory of 1952	3960	aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe	85
PID 4876 wrote to memory of 2760	4876	MMKAFNFW1076.exe	86
PID 4876 wrote to memory of 2760	4876	MMKAFNFW1076.exe	86
PID 4876 wrote to memory of 2760	4876	MMKAFNFW1076.exe	86
PID 4876 wrote to memory of 1544	4876	MMKAFNFW1076.exe	87
PID 4876 wrote to memory of 1544	4876	MMKAFNFW1076.exe	87
PID 4876 wrote to memory of 1544	4876	MMKAFNFW1076.exe	87
PID 2760 wrote to memory of 3512	2760	MMKAFNFW1076.exe	197
PID 2760 wrote to memory of 3512	2760	MMKAFNFW1076.exe	197
PID 2760 wrote to memory of 3512	2760	MMKAFNFW1076.exe	197
PID 2760 wrote to memory of 3500	2760	MMKAFNFW1076.exe	91
PID 2760 wrote to memory of 3500	2760	MMKAFNFW1076.exe	91
PID 2760 wrote to memory of 3500	2760	MMKAFNFW1076.exe	91
PID 3512 wrote to memory of 4908	3512	MMKAFNFW1076.exe	289
PID 3512 wrote to memory of 4908	3512	MMKAFNFW1076.exe	289
PID 3512 wrote to memory of 4908	3512	MMKAFNFW1076.exe	289
PID 3512 wrote to memory of 1852	3512	MMKAFNFW1076.exe	94
PID 3512 wrote to memory of 1852	3512	MMKAFNFW1076.exe	94
PID 3512 wrote to memory of 1852	3512	MMKAFNFW1076.exe	94
PID 4908 wrote to memory of 1320	4908	MMKAFNFW1076.exe	162
PID 4908 wrote to memory of 1320	4908	MMKAFNFW1076.exe	162
PID 4908 wrote to memory of 1320	4908	MMKAFNFW1076.exe	162
PID 4908 wrote to memory of 1408	4908	MMKAFNFW1076.exe	96
PID 4908 wrote to memory of 1408	4908	MMKAFNFW1076.exe	96
PID 4908 wrote to memory of 1408	4908	MMKAFNFW1076.exe	96
PID 1320 wrote to memory of 2312	1320	MMKAFNFW1076.exe	99
PID 1320 wrote to memory of 2312	1320	MMKAFNFW1076.exe	99
PID 1320 wrote to memory of 2312	1320	MMKAFNFW1076.exe	99
PID 1320 wrote to memory of 3916	1320	MMKAFNFW1076.exe	100
PID 1320 wrote to memory of 3916	1320	MMKAFNFW1076.exe	100
PID 1320 wrote to memory of 3916	1320	MMKAFNFW1076.exe	100
PID 2312 wrote to memory of 1820	2312	MMKAFNFW1076.exe	102
PID 2312 wrote to memory of 1820	2312	MMKAFNFW1076.exe	102
PID 2312 wrote to memory of 1820	2312	MMKAFNFW1076.exe	102
PID 2312 wrote to memory of 1232	2312	MMKAFNFW1076.exe	103
PID 2312 wrote to memory of 1232	2312	MMKAFNFW1076.exe	103
PID 2312 wrote to memory of 1232	2312	MMKAFNFW1076.exe	103
PID 1820 wrote to memory of 4740	1820	MMKAFNFW1076.exe	104
PID 1820 wrote to memory of 4740	1820	MMKAFNFW1076.exe	104
PID 1820 wrote to memory of 4740	1820	MMKAFNFW1076.exe	104
PID 1820 wrote to memory of 4664	1820	MMKAFNFW1076.exe	105
PID 1820 wrote to memory of 4664	1820	MMKAFNFW1076.exe	105
PID 1820 wrote to memory of 4664	1820	MMKAFNFW1076.exe	105
PID 4740 wrote to memory of 2404	4740	MMKAFNFW1076.exe	304
PID 4740 wrote to memory of 2404	4740	MMKAFNFW1076.exe	304
PID 4740 wrote to memory of 2404	4740	MMKAFNFW1076.exe	304
PID 4740 wrote to memory of 1536	4740	MMKAFNFW1076.exe	109
PID 4740 wrote to memory of 1536	4740	MMKAFNFW1076.exe	109
PID 4740 wrote to memory of 1536	4740	MMKAFNFW1076.exe	109
PID 2404 wrote to memory of 4444	2404	MMKAFNFW1076.exe	111
PID 2404 wrote to memory of 4444	2404	MMKAFNFW1076.exe	111
PID 2404 wrote to memory of 4444	2404	MMKAFNFW1076.exe	111
PID 2404 wrote to memory of 1336	2404	MMKAFNFW1076.exe	112
PID 2404 wrote to memory of 1336	2404	MMKAFNFW1076.exe	112
PID 2404 wrote to memory of 1336	2404	MMKAFNFW1076.exe	112
PID 4444 wrote to memory of 3052	4444	MMKAFNFW1076.exe	114
PID 4444 wrote to memory of 3052	4444	MMKAFNFW1076.exe	114
PID 4444 wrote to memory of 3052	4444	MMKAFNFW1076.exe	114
PID 4444 wrote to memory of 860	4444	MMKAFNFW1076.exe	115

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
11944	Process not Found
13112	Process not Found
13344	Process not Found
12492	Process not Found
10996	Process not Found
11948	Process not Found
12092	Process not Found
12760	Process not Found
9512	attrib.exe
9316	attrib.exe
10724	attrib.exe
10724	Process not Found
11724	Process not Found
13116	Process not Found
12180	Process not Found
8220	attrib.exe
8668	attrib.exe
11252	Process not Found
12520	Process not Found
12416	Process not Found
6012	attrib.exe
12156	Process not Found
12516	Process not Found
12520	Process not Found
5684	attrib.exe
9404	attrib.exe
11052	Process not Found
11700	Process not Found
12236	Process not Found
7536	attrib.exe
8712	attrib.exe
9460	attrib.exe
12852	Process not Found
15348	Process not Found
7032	attrib.exe
7952	attrib.exe
10304	attrib.exe
11676	Process not Found
12708	Process not Found
5280	attrib.exe
8636	attrib.exe
6356	attrib.exe
10660	attrib.exe
10540	attrib.exe
9064	Process not Found
7032	attrib.exe
10064	attrib.exe
6356	attrib.exe
9992	attrib.exe
11068	Process not Found
7432	attrib.exe
9588	attrib.exe
11292	Process not Found
13616	Process not Found
14592	Process not Found
3780	attrib.exe
8784	attrib.exe
13744	Process not Found
5228	attrib.exe
7480	attrib.exe
9604	attrib.exe
13796	Process not Found
12492	Process not Found
10252	Process not Found

C:\Users\Admin\AppData\Local\Temp\aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\SysWOW64\MMKAFNFW1076.exe
  C:\Windows\system32\MMKAFNFW1076.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\MMKAFNFW1076.exe
    C:\Windows\system32\MMKAFNFW1076.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\MMKAFNFW1076.exe
      C:\Windows\system32\MMKAFNFW1076.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4908
      - C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        13⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        15⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        16⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        17⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        18⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        19⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        20⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        21⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        22⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        23⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        24⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        25⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        26⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        27⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        28⤵
        Drops file in Drivers directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        29⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        30⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        31⤵
        Drops file in Drivers directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        32⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        33⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        34⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        35⤵
        Executes dropped EXE
        
        PID:3388
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        36⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        37⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        38⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        39⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        40⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        41⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        42⤵
        Executes dropped EXE
        
        PID:804
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        43⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        44⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        45⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        46⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        47⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        48⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        49⤵
        Executes dropped EXE
        
        PID:5136
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        50⤵
        Executes dropped EXE
        
        PID:5232
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        52⤵
        Executes dropped EXE
        
        PID:5516
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        53⤵
        Executes dropped EXE
        
        PID:5596
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        54⤵
        Executes dropped EXE
        
        PID:5712
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        55⤵
        Executes dropped EXE
        
        PID:5812
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        56⤵
        Executes dropped EXE
        
        PID:5924
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        57⤵
        Executes dropped EXE
        
        PID:6032
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        58⤵
        Executes dropped EXE
        
        PID:6108
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        59⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        60⤵
        Executes dropped EXE
        
        PID:5396
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        61⤵
        Executes dropped EXE
        
        PID:5628
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        62⤵
        Executes dropped EXE
        
        PID:5712
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        63⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5912
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        64⤵
        Executes dropped EXE
        
        PID:6084
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        65⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5180
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        66⤵
        Drops file in Drivers directory
        
        PID:5712
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        67⤵
        Drops file in Drivers directory
        
        PID:5112
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        68⤵
        Drops file in Drivers directory
        
        PID:5596
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        69⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6344
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        71⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        72⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        73⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        74⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        75⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        76⤵
        Drops file in Drivers directory
        
        PID:6936
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        77⤵
        Drops file in Drivers directory
        
        PID:7060
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        78⤵
        Drops file in Drivers directory
        
        PID:6168
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        79⤵
        Drops file in Drivers directory
        
        PID:6296
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        80⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        81⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        82⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        83⤵
        Drops file in Drivers directory
        
        PID:5360
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        84⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        85⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        86⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        87⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        88⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        89⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        90⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        91⤵
        Drops file in Drivers directory
        
        PID:7340
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        92⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        93⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        94⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        95⤵
        Drops file in Drivers directory
        
        PID:7804
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        96⤵
        Drops file in Drivers directory
        
        PID:7920
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        97⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        98⤵
        Drops file in Drivers directory
        
        PID:8136
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        99⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        100⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        101⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        102⤵
        Drops file in Drivers directory
        
        PID:5396
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        103⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        104⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        105⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        106⤵
        Drops file in Drivers directory
        
        PID:8072
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        107⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        108⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        109⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        110⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        111⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        112⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        113⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        114⤵
        Drops file in Drivers directory
        
        PID:7848
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        115⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        116⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        117⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        118⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        119⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        120⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        121⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        122⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        123⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        124⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        125⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        126⤵
        Drops file in Drivers directory
        
        PID:6356
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        127⤵
        Drops file in Drivers directory
        
        PID:9084
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        128⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        129⤵
        Drops file in Drivers directory
        
        PID:6332
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        130⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        131⤵
        Drops file in System32 directory
        
        PID:8160
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        132⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        133⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        134⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        135⤵
        Drops file in Drivers directory
        
        PID:9480
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        136⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        137⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        138⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        139⤵
        Drops file in Drivers directory
        
        PID:9756
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        140⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        141⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        142⤵
        Drops file in Drivers directory
        
        PID:9296
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        143⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        144⤵
        Drops file in Drivers directory
        
        PID:9812
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        145⤵
        Drops file in Drivers directory
        
        PID:8976
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        146⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        147⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        148⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        149⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        150⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        151⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        152⤵
        Drops file in Drivers directory
        
        PID:8300
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        153⤵
        Drops file in Drivers directory
        
        PID:10000
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        154⤵
        Drops file in Drivers directory
        System Location Discovery: System Language Discovery
        
        PID:8640
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        155⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        156⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        157⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        158⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        159⤵
        Drops file in Drivers directory
        
        PID:10712
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        160⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        161⤵
        Drops file in Drivers directory
        
        PID:8128
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        162⤵
        Drops file in Drivers directory
        
        PID:9432
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        163⤵
        Drops file in System32 directory
        
        PID:8756
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        164⤵
        Drops file in Drivers directory
        
        PID:7752
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        165⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        166⤵
        Drops file in Drivers directory
        
        PID:9488
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        167⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        168⤵
        Drops file in Drivers directory
        
        PID:10360
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        169⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        170⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        171⤵
        Drops file in System32 directory
        
        PID:10640
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        172⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\MMKAFNFW1076.exe
        
        C:\Windows\system32\MMKAFNFW1076.exe
        173⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240630125.bat
        173⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240630046.bat
        172⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240629921.bat
        171⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240629796.bat
        170⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240629734.bat
        169⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240629687.bat
        168⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240629609.bat
        167⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240629500.bat
        166⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240629343.bat
        165⤵
        
        PID:10588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        166⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240629265.bat
        164⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240629062.bat
        163⤵
        
        PID:8872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240628968.bat
        162⤵
        
        PID:6356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240628828.bat
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:8992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        162⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240628656.bat
        160⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240628515.bat
        159⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240628171.bat
        158⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240627984.bat
        157⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        158⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240627593.bat
        156⤵
        
        PID:5372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        157⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240627546.bat
        155⤵
        
        PID:8596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        156⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        156⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240627453.bat
        154⤵
        
        PID:7812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        155⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240627375.bat
        153⤵
        
        PID:8780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        154⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240627281.bat
        152⤵
        
        PID:9548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        153⤵
        
        PID:10784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240627187.bat
        151⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        152⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240627125.bat
        150⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        151⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240626984.bat
        149⤵
        
        PID:9904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        150⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240626890.bat
        148⤵
        
        PID:8372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        149⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240626750.bat
        147⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        148⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        148⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        148⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240626703.bat
        146⤵
        
        PID:7808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        147⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240626593.bat
        145⤵
        
        PID:10040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:9560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:10484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        146⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240626546.bat
        144⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        145⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240626390.bat
        143⤵
        
        PID:9384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        144⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240626343.bat
        142⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        143⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240626187.bat
        141⤵
        
        PID:8444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        142⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240626093.bat
        140⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        141⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240626046.bat
        139⤵
        
        PID:7692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        140⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240625906.bat
        138⤵
        
        PID:6880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        139⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        139⤵
        Drops file in System32 directory
        
        PID:10144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240625765.bat
        137⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        138⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240625562.bat
        136⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        137⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        137⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240625406.bat
        135⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        136⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        136⤵
        Views/modifies file attributes
        
        PID:10724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240625328.bat
        134⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        135⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        135⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240625171.bat
        133⤵
        
        PID:8224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        134⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        134⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240625015.bat
        132⤵
        
        PID:7540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        133⤵
        Drops file in System32 directory
        
        PID:9428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        133⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240624953.bat
        131⤵
        
        PID:7040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        132⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        132⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240624906.bat
        130⤵
        
        PID:8592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        131⤵
        Views/modifies file attributes
        
        PID:6356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        131⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240624859.bat
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:8956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        130⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        130⤵
        Drops file in System32 directory
        
        PID:9592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240624812.bat
        128⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        129⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        129⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240624734.bat
        127⤵
        
        PID:8440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        128⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        128⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240624687.bat
        126⤵
        
        PID:8980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        127⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        127⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240624640.bat
        125⤵
        
        PID:8856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        126⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        126⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240624609.bat
        124⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        125⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        125⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240624562.bat
        123⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        124⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        124⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240624484.bat
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:8264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        123⤵
        Drops file in System32 directory
        
        PID:7752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        123⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240624453.bat
        121⤵
        
        PID:8648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        122⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        122⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240624375.bat
        120⤵
        
        PID:8416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        121⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        121⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240623859.bat
        119⤵
        
        PID:7604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        120⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        120⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        120⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240623640.bat
        118⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        119⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        119⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        119⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240623546.bat
        117⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        118⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        118⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        118⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240623453.bat
        116⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        117⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        117⤵
        Drops file in System32 directory
        
        PID:7496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        117⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240623390.bat
        115⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        116⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        116⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        116⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240623343.bat
        114⤵
        
        PID:7272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        115⤵
        Views/modifies file attributes
        
        PID:8712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        115⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        115⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240623281.bat
        113⤵
        
        PID:7328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        114⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        114⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        114⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        114⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240623234.bat
        112⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        113⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        113⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        113⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240623156.bat
        111⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        112⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        112⤵
        Drops file in System32 directory
        
        PID:9692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        112⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240623062.bat
        110⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        111⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        111⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        111⤵
        Views/modifies file attributes
        
        PID:9588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240623000.bat
        109⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        110⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        110⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        110⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240622843.bat
        108⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        109⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        109⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        109⤵
        Views/modifies file attributes
        
        PID:10304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240622718.bat
        107⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        108⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        108⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        108⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240622281.bat
        106⤵
        
        PID:6760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        107⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        107⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        107⤵
        Drops file in System32 directory
        
        PID:9700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        107⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240622125.bat
        105⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        106⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        106⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        106⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        106⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240622093.bat
        104⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        105⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        105⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        105⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        105⤵
        Views/modifies file attributes
        
        PID:10660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240622062.bat
        103⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        104⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        104⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        104⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240622015.bat
        102⤵
        
        PID:5500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        103⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        103⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        103⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621984.bat
        101⤵
        
        PID:6936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        102⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        102⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        102⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        102⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621906.bat
        100⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        101⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        101⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        101⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621875.bat
        99⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        100⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        100⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        100⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621796.bat
        98⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        99⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        99⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        99⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621765.bat
        97⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        98⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        98⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:10848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621718.bat
        96⤵
        
        PID:7936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:8436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        97⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        97⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621640.bat
        95⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        96⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        96⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        96⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        96⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621578.bat
        94⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        95⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        95⤵
        Views/modifies file attributes
        
        PID:9512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        95⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621531.bat
        93⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        94⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        94⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        94⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        94⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621500.bat
        92⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        93⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        93⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        93⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        93⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621406.bat
        91⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        92⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        92⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        92⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        92⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        92⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621375.bat
        90⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        91⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        91⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        91⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        91⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        91⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621328.bat
        89⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        90⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        90⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        90⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        90⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        90⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621296.bat
        88⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        89⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        89⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        89⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        89⤵
        Views/modifies file attributes
        
        PID:9404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621265.bat
        87⤵
        
        PID:7024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        88⤵
        Drops file in System32 directory
        
        PID:8148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:7828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        88⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621187.bat
        86⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        87⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        87⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        87⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        87⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621093.bat
        85⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        86⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        86⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        86⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        86⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621062.bat
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        85⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        85⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        85⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        85⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240621000.bat
        83⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        84⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        84⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        84⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        84⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620906.bat
        82⤵
        
        PID:6872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        83⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        83⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        83⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        83⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620843.bat
        81⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        82⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        82⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        82⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        82⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620796.bat
        80⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        81⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        81⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        81⤵
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        81⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        81⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620765.bat
        79⤵
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        80⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        80⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        80⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        80⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:10728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620718.bat
        78⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        79⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        79⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        79⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        79⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620640.bat
        77⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        78⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        78⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        78⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        78⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620578.bat
        76⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:7764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        77⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        77⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        77⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620546.bat
        75⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        76⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        76⤵
        Views/modifies file attributes
        
        PID:8668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        76⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        76⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620453.bat
        74⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        75⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        75⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        75⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        75⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        75⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620421.bat
        73⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        74⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        74⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        74⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        74⤵
        Drops file in System32 directory
        
        PID:10356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620343.bat
        72⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        73⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        73⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        73⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        73⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        73⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620312.bat
        71⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        72⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        72⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        72⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        72⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        72⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620265.bat
        70⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        71⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        71⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        71⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        71⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        71⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620218.bat
        69⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        70⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        70⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        70⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        70⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620187.bat
        68⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        69⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        69⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        69⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        69⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        69⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620125.bat
        67⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        68⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        68⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        68⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        68⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        68⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620062.bat
        66⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        67⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        67⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        67⤵
        Views/modifies file attributes
        
        PID:8636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        67⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        67⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240620031.bat
        65⤵
        
        PID:5708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        66⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        66⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        66⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        66⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619953.bat
        64⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:6576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        65⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        65⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        65⤵
        Views/modifies file attributes
        
        PID:7032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:8576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        65⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619906.bat
        63⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        64⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        64⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        64⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        64⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619859.bat
        62⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        63⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        63⤵
        Views/modifies file attributes
        
        PID:6012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        63⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        63⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619812.bat
        61⤵
        
        PID:5724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        62⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        62⤵
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        62⤵
        Views/modifies file attributes
        
        PID:7480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        62⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        62⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        62⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619781.bat
        60⤵
        
        PID:5580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        61⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        61⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        61⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        61⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        61⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619734.bat
        59⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        60⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        60⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        60⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        60⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        60⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619671.bat
        58⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        59⤵
        Views/modifies file attributes
        
        PID:5228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        59⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        59⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        59⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        59⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        59⤵
        Views/modifies file attributes
        
        PID:9316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        59⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619640.bat
        57⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        58⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        58⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        58⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        58⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        58⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        58⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:10540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619593.bat
        56⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        57⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        57⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:8124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        57⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        57⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619546.bat
        55⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        56⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        56⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        56⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        56⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        56⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        56⤵
        Drops file in System32 directory
        
        PID:10604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619484.bat
        54⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        55⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        55⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        55⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        55⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619437.bat
        53⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        54⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        54⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        54⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        54⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        54⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619390.bat
        52⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        53⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        53⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        53⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        53⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        53⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        53⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619359.bat
        51⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        52⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        52⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        52⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        52⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        52⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619218.bat
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        51⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        51⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        51⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:8632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        51⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619171.bat
        49⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        50⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        50⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        50⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        50⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        50⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619140.bat
        48⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        49⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        49⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        49⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:9020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        49⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240619093.bat
        47⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        48⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        48⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        48⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        48⤵
        Drops file in System32 directory
        
        PID:9660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        48⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618984.bat
        46⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        47⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        47⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        47⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        47⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        47⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618968.bat
        45⤵
        
        PID:964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        46⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        46⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        46⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        46⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        46⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618937.bat
        44⤵
        
        PID:460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        45⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        45⤵
        Drops file in System32 directory
        
        PID:7604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        45⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        45⤵
        Drops file in System32 directory
        
        PID:7396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        45⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618906.bat
        43⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        44⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        44⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        44⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        44⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        44⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618859.bat
        42⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        43⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        43⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        43⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        43⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        43⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        43⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        43⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        43⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618828.bat
        41⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        42⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        42⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        42⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        42⤵
        Views/modifies file attributes
        
        PID:9604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        42⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618781.bat
        40⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        41⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        41⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        41⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        41⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        41⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618734.bat
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        40⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        40⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        40⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        40⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        40⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        40⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618687.bat
        38⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        39⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        39⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        39⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        39⤵
        Views/modifies file attributes
        
        PID:7032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        39⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        39⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:8220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        39⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        39⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        39⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618671.bat
        37⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        38⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        38⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        38⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        38⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        38⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618640.bat
        36⤵
        
        PID:2204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        37⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        37⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        37⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        37⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        37⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618593.bat
        35⤵
        
        PID:852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        36⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        36⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        36⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        36⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        36⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        36⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        36⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618562.bat
        34⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        35⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        35⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        35⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        35⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        35⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        35⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618500.bat
        33⤵
        
        PID:1340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        34⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        34⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        34⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        34⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        34⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618468.bat
        32⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        33⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        33⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        33⤵
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        33⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        33⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618437.bat
        31⤵
        
        PID:376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        32⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        32⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        32⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        32⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        32⤵
        Drops file in System32 directory
        
        PID:9144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        32⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618406.bat
        30⤵
        
        PID:760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        31⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        31⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        31⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        31⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        31⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618375.bat
        29⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        30⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        30⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        30⤵
        Views/modifies file attributes
        
        PID:8784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        30⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        30⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618343.bat
        28⤵
        
        PID:228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        29⤵
        
        PID:536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        29⤵
        Views/modifies file attributes
        
        PID:7952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        29⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        29⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:10840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618328.bat
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        28⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        28⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        28⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        28⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        28⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        28⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618250.bat
        26⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        27⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        27⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        27⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:8148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        27⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        27⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618203.bat
        25⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        26⤵
        
        PID:532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        26⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        26⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        26⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        26⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        26⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        26⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        26⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        26⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        26⤵
        Views/modifies file attributes
        
        PID:9992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618171.bat
        24⤵
        
        PID:544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        25⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        25⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        25⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        25⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        25⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        25⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        25⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618125.bat
        23⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        24⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        24⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        24⤵
        Views/modifies file attributes
        
        PID:7536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        24⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        24⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        24⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        24⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618109.bat
        22⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        23⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        23⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        23⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        23⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        23⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618078.bat
        21⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        22⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        22⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        22⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        22⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:10972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618046.bat
        20⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        21⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        21⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        21⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        21⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        21⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        21⤵
        Views/modifies file attributes
        
        PID:10064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:8676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        21⤵
        Views/modifies file attributes
        
        PID:9460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        21⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240618015.bat
        19⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        20⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        20⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        20⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        20⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        20⤵
        
        PID:10948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617968.bat
        18⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        19⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        19⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        19⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        19⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        19⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        19⤵
        Drops file in System32 directory
        
        PID:10296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617937.bat
        17⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        18⤵
        Views/modifies file attributes
        
        PID:5280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        18⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        18⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        18⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        18⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617906.bat
        16⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        17⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        17⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        17⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        17⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        17⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617859.bat
        15⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        16⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        16⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        16⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        16⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        16⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        16⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617812.bat
        14⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        15⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        15⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        15⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        15⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        15⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        15⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617765.bat
        13⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        14⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        14⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        14⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        14⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        14⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        14⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:10928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617718.bat
        12⤵
        
        PID:860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        13⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        13⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        13⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        13⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        13⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        13⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617656.bat
        11⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        12⤵
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        12⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        12⤵
        Views/modifies file attributes
        
        PID:7432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        12⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        12⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        12⤵
        
        PID:10344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617625.bat
        10⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        11⤵
        Views/modifies file attributes
        
        PID:3780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        11⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        11⤵
        Views/modifies file attributes
        
        PID:5684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        11⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        11⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        11⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617593.bat
        9⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        10⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        10⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        10⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        10⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        10⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        10⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        10⤵
        
        PID:10636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617578.bat
        8⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        9⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        9⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        9⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        9⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        9⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        9⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        9⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        9⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617546.bat
        7⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        8⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        8⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        8⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        8⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        8⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        8⤵
        
        PID:9672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617515.bat
        6⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        7⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        7⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        7⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        7⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        7⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        7⤵
        
        PID:9464
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617500.bat
        5⤵
        
        PID:1852
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        6⤵
        
        PID:3532
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        6⤵
        
        PID:5664
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        6⤵
        
        PID:6268
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        6⤵
        
        PID:7720
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:6940
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        6⤵
        
        PID:10232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617468.bat
      4⤵
      PID:3500
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        5⤵
        
        PID:2092
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        5⤵
        
        PID:5680
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        5⤵
        
        PID:7224
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        5⤵
        
        PID:8284
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8944
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        5⤵
        
        PID:7296
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
        5⤵
        
        PID:10000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617453.bat
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
      4⤵
      System Location Discovery: System Language Discovery
      PID:1540
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
      4⤵
      PID:5540
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
      4⤵
      PID:7632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
      4⤵
      PID:8344
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
      4⤵
      PID:9136
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
      4⤵
      PID:8544
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:9852
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMKAFNFW1076.exe" -r -a -s -h
      4⤵
      PID:10916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898240617437.bat
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\aeb6358ae61adad0355511798bbbbc78_JaffaCakes118.exe" -r -a -s -h
    3⤵
    PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MMKAFNFW1076.exe

Filesize
17KB

MD5
aeb6358ae61adad0355511798bbbbc78

SHA1
f0e190f821c4aeeae92a44277d48b1d9a0e9dc1a

SHA256
dbaba294a0c6160c6d3e664008e54e41d1701f24086762cb811906419d087842

SHA512
a26daef68a9c48b43d9d7a183a2c6eab989d8d751aabe7ec7de77c005d31d20247c91a66e593e95fe388cb9b7ff2c3514d9cc2256e04ced3448bec45968f5750

Download Submit
C:\Windows\SysWOW64\drivers\hapdrv.sys

Filesize
2KB

MD5
6e41eccd392128a6dd1789f84e8d2bec

SHA1
89bccfeb1af169a6f792d388464c72ef53921ad0

SHA256
2876a12251e7042d6ae9d1244399211f8147faaf5f13487e460d387cf7996d34

SHA512
0eb22ec72f52a7607bc91286869fd3863aacbb454ec7bfdf65de6e128868ea86d4b9cf4089186937dcab37524bba2574fcaff2681815f52726043545cc902646

Download Submit
C:\b3b4f3ed7898240617437.bat

Filesize
333B

MD5
f7fdae78d14d0b51b7597166dc4a7506

SHA1
94fcb744594a73d7160a7b0c1287a7e3da124a49

SHA256
34e4471fef8312a659f459218d556c487a1159a3496ad29b973a1b5919e1fa48

SHA512
94f8df1358ff20dfaa878673a86a55d4f9c1657db65efc26cf92a6839b87458107e524fc629ac8b873ce73bb41b3788d85437f602d677fddd6b89c7975abc904

Download Submit
C:\b3b4f3ed7898240617500.bat

Filesize
189B

MD5
bba55c448c0a3cedff468310ae021012

SHA1
a5da94453bf3e9f9ca6c726734836986ac1c49da

SHA256
630bd2494a6c799421e9a053fc91c9696d8b395b52ad91bc5968918c84f40190

SHA512
da518e02fcc90434416c5fc68e5abe1ab8d2d9a944019c47e3b58b5c2cd9ed9dc2764e638d59002354b9825442df6c4718138318e2aa6c392a6c48857b8793a4

Download Submit