08d465423efc43b674308b6c4d50d7bd72e0a57e468287214243c3226ff7c162

Analysis

max time kernel
19s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 02:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe
Size

17KB
MD5

d0ed37cfb9b28c9641b6644f80b1b635
SHA1

029c2b50b35c90fd7aed0041a7899f4584f908c1
SHA256

08d465423efc43b674308b6c4d50d7bd72e0a57e468287214243c3226ff7c162
SHA512

ae78816566681f8adf8a2621a11adacfe17be196c09d445fa96a8ece3c99f39f336c998ecf0ce592c7a17b3ce8173a1976a55ff249688a4eab240c32f001422d
SSDEEP

384:4F9Gdrx6bTZWMP+afeHs7swcpPaLm3aZLbUx:s00xWF8sB9D

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2056	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2332	wintemp.exe
2704	wintemp.exe
3052	wintemp.exe
1892	wintemp.exe
2408	wintemp.exe
684	wintemp.exe
2156	wintemp.exe
3044	wintemp.exe
1464	wintemp.exe
2320	wintemp.exe
264	wintemp.exe
1972	wintemp.exe
348	wintemp.exe
624	wintemp.exe
872	wintemp.exe
1932	wintemp.exe
2708	wintemp.exe
1648	wintemp.exe
2008	wintemp.exe
2928	wintemp.exe
2840	wintemp.exe
1080	wintemp.exe
1736	wintemp.exe
1920	wintemp.exe
2496	wintemp.exe
1632	wintemp.exe
2860	wintemp.exe
3052	wintemp.exe
616	wintemp.exe
2512	wintemp.exe
2564	wintemp.exe
2044	wintemp.exe
2508	wintemp.exe
2768	wintemp.exe
2992	wintemp.exe
1204	wintemp.exe
1064	wintemp.exe
2968	wintemp.exe
1960	wintemp.exe
2144	wintemp.exe
2524	wintemp.exe
2472	wintemp.exe
2248	wintemp.exe
2060	wintemp.exe
2480	wintemp.exe
1152	wintemp.exe
800	wintemp.exe
3124	wintemp.exe
3256	wintemp.exe
3344	wintemp.exe
3380	wintemp.exe
3544	wintemp.exe
3620	wintemp.exe
3680	wintemp.exe
3772	wintemp.exe
3808	wintemp.exe
3988	wintemp.exe
4084	wintemp.exe
2412	wintemp.exe
2248	wintemp.exe
3088	wintemp.exe
3300	wintemp.exe
3712	wintemp.exe
3428	wintemp.exe

Loads dropped DLL 64 IoCs

pid	Process
2496	d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe
2496	d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe
2332	wintemp.exe
2332	wintemp.exe
2704	wintemp.exe
2704	wintemp.exe
3052	wintemp.exe
3052	wintemp.exe
1892	wintemp.exe
1892	wintemp.exe
2408	wintemp.exe
2408	wintemp.exe
684	wintemp.exe
684	wintemp.exe
2156	wintemp.exe
2156	wintemp.exe
3044	wintemp.exe
3044	wintemp.exe
1464	wintemp.exe
1464	wintemp.exe
2320	wintemp.exe
2320	wintemp.exe
264	wintemp.exe
264	wintemp.exe
1972	wintemp.exe
1972	wintemp.exe
348	wintemp.exe
348	wintemp.exe
624	wintemp.exe
624	wintemp.exe
872	wintemp.exe
872	wintemp.exe
1932	wintemp.exe
1932	wintemp.exe
2708	wintemp.exe
2708	wintemp.exe
1648	wintemp.exe
1648	wintemp.exe
2008	wintemp.exe
2008	wintemp.exe
2928	wintemp.exe
2928	wintemp.exe
2840	wintemp.exe
2840	wintemp.exe
1080	wintemp.exe
1080	wintemp.exe
1736	wintemp.exe
1736	wintemp.exe
1920	wintemp.exe
1920	wintemp.exe
2496	wintemp.exe
2496	wintemp.exe
1632	wintemp.exe
1632	wintemp.exe
2860	wintemp.exe
2860	wintemp.exe
3052	wintemp.exe
3052	wintemp.exe
616	wintemp.exe
616	wintemp.exe
2512	wintemp.exe
2512	wintemp.exe
2564	wintemp.exe
2564	wintemp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\xr.bat	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\xr.bat	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\xr.bat	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	C:\windows\SysWOW64\xr.bat	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File created	C:\windows\SysWOW64\xr.bat	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File created	C:\windows\SysWOW64\xr.bat	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\xr.bat	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\wintemp.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2332	2496	d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2332	2496	d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2332	2496	d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2332	2496	d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2056	2496	d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe	32
PID 2496 wrote to memory of 2056	2496	d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe	32
PID 2496 wrote to memory of 2056	2496	d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe	32
PID 2496 wrote to memory of 2056	2496	d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe	32
PID 2056 wrote to memory of 2200	2056	cmd.exe	34
PID 2056 wrote to memory of 2200	2056	cmd.exe	34
PID 2056 wrote to memory of 2200	2056	cmd.exe	34
PID 2056 wrote to memory of 2200	2056	cmd.exe	34
PID 2332 wrote to memory of 2704	2332	wintemp.exe	35
PID 2332 wrote to memory of 2704	2332	wintemp.exe	35
PID 2332 wrote to memory of 2704	2332	wintemp.exe	35
PID 2332 wrote to memory of 2704	2332	wintemp.exe	35
PID 2332 wrote to memory of 2716	2332	wintemp.exe	36
PID 2332 wrote to memory of 2716	2332	wintemp.exe	36
PID 2332 wrote to memory of 2716	2332	wintemp.exe	36
PID 2332 wrote to memory of 2716	2332	wintemp.exe	36
PID 2716 wrote to memory of 2892	2716	cmd.exe	131
PID 2716 wrote to memory of 2892	2716	cmd.exe	131
PID 2716 wrote to memory of 2892	2716	cmd.exe	131
PID 2716 wrote to memory of 2892	2716	cmd.exe	131
PID 2716 wrote to memory of 2596	2716	cmd.exe	280
PID 2716 wrote to memory of 2596	2716	cmd.exe	280
PID 2716 wrote to memory of 2596	2716	cmd.exe	280
PID 2716 wrote to memory of 2596	2716	cmd.exe	280
PID 2704 wrote to memory of 3052	2704	wintemp.exe	306
PID 2704 wrote to memory of 3052	2704	wintemp.exe	306
PID 2704 wrote to memory of 3052	2704	wintemp.exe	306
PID 2704 wrote to memory of 3052	2704	wintemp.exe	306
PID 2704 wrote to memory of 1888	2704	wintemp.exe	41
PID 2704 wrote to memory of 1888	2704	wintemp.exe	41
PID 2704 wrote to memory of 1888	2704	wintemp.exe	41
PID 2704 wrote to memory of 1888	2704	wintemp.exe	41
PID 2716 wrote to memory of 1648	2716	cmd.exe	217
PID 2716 wrote to memory of 1648	2716	cmd.exe	217
PID 2716 wrote to memory of 1648	2716	cmd.exe	217
PID 2716 wrote to memory of 1648	2716	cmd.exe	217
PID 1888 wrote to memory of 2644	1888	cmd.exe	141
PID 1888 wrote to memory of 2644	1888	cmd.exe	141
PID 1888 wrote to memory of 2644	1888	cmd.exe	141
PID 1888 wrote to memory of 2644	1888	cmd.exe	141
PID 2716 wrote to memory of 2764	2716	cmd.exe	142
PID 2716 wrote to memory of 2764	2716	cmd.exe	142
PID 2716 wrote to memory of 2764	2716	cmd.exe	142
PID 2716 wrote to memory of 2764	2716	cmd.exe	142
PID 1888 wrote to memory of 1680	1888	cmd.exe	46
PID 1888 wrote to memory of 1680	1888	cmd.exe	46
PID 1888 wrote to memory of 1680	1888	cmd.exe	46
PID 1888 wrote to memory of 1680	1888	cmd.exe	46
PID 2716 wrote to memory of 1440	2716	cmd.exe	286
PID 2716 wrote to memory of 1440	2716	cmd.exe	286
PID 2716 wrote to memory of 1440	2716	cmd.exe	286
PID 2716 wrote to memory of 1440	2716	cmd.exe	286
PID 1888 wrote to memory of 1064	1888	cmd.exe	365
PID 1888 wrote to memory of 1064	1888	cmd.exe	365
PID 1888 wrote to memory of 1064	1888	cmd.exe	365
PID 1888 wrote to memory of 1064	1888	cmd.exe	365
PID 1888 wrote to memory of 2024	1888	cmd.exe	145
PID 1888 wrote to memory of 2024	1888	cmd.exe	145
PID 1888 wrote to memory of 2024	1888	cmd.exe	145
PID 1888 wrote to memory of 2024	1888	cmd.exe	145

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5696	Process not Found
7028	Process not Found
5568	Process not Found
11292	Process not Found
7928	Process not Found
7648	Process not Found
1276	attrib.exe
3964	attrib.exe
9480	Process not Found
11084	Process not Found
18056	Process not Found
2956	Process not Found
8916	Process not Found
12636	Process not Found
9632	Process not Found
8596	Process not Found
11872	Process not Found
5664	Process not Found
4632	attrib.exe
1764	Process not Found
264	Process not Found
3144	Process not Found
15244	Process not Found
11776	Process not Found
1796	Process not Found
10408	Process not Found
15592	Process not Found
7372	Process not Found
8592	Process not Found
1040	Process not Found
13276	Process not Found
5564	Process not Found
16012	Process not Found
16784	Process not Found
4344	attrib.exe
9816	Process not Found
13548	Process not Found
13912	Process not Found
16760	Process not Found
3900	attrib.exe
9732	Process not Found
10084	Process not Found
4124	Process not Found
16900	Process not Found
5628	Process not Found
11720	Process not Found
3936	Process not Found
7540	Process not Found
3136	Process not Found
9168	Process not Found
11604	Process not Found
14568	Process not Found
5400	Process not Found
17584	Process not Found
6872	Process not Found
7892	Process not Found
6124	Process not Found
11640	Process not Found
5840	Process not Found
5972	Process not Found
1480	Process not Found
15816	Process not Found
15856	Process not Found
3224	Process not Found

C:\Users\Admin\AppData\Local\Temp\d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496
- C:\windows\SysWOW64\wintemp.exe
  "C:\windows\system32\wintemp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\windows\SysWOW64\wintemp.exe
    "C:\windows\system32\wintemp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\windows\SysWOW64\wintemp.exe
      "C:\windows\system32\wintemp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3052
    - - C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1892
      - C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2408
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:684
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2156
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3044
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1464
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2320
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:264
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1972
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:348
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:624
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:872
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1932
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2708
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1648
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2008
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2928
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2840
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1080
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1736
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1920
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2496
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1632
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2860
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3052
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:616
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2512
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2564
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        33⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        34⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        36⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        37⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        39⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1960
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        41⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        42⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        43⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        44⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2060
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        46⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        47⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        48⤵
        Executes dropped EXE
        
        PID:800
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        49⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3344
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        53⤵
        Executes dropped EXE
        
        PID:3544
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        55⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        56⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        57⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        59⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        60⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3300
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        64⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        65⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        66⤵
        
        PID:3532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        67⤵
        Drops file in System32 directory
        
        PID:3592
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        68⤵
        
        PID:3944
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        69⤵
        
        PID:4080
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        70⤵
        
        PID:3724
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        71⤵
        
        PID:2156
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        72⤵
        
        PID:3704
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        74⤵
        
        PID:3064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        75⤵
        
        PID:3976
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        76⤵
        
        PID:736
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        77⤵
        
        PID:3796
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        79⤵
        
        PID:3588
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        80⤵
        
        PID:4064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        81⤵
        
        PID:4116
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        82⤵
        
        PID:4300
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        83⤵
        Drops file in System32 directory
        
        PID:4392
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        84⤵
        
        PID:4572
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        85⤵
        
        PID:4724
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        86⤵
        
        PID:4932
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        87⤵
        
        PID:5012
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        88⤵
        Drops file in System32 directory
        
        PID:3868
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        89⤵
        
        PID:4236
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        90⤵
        
        PID:4372
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        91⤵
        
        PID:4596
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        92⤵
        
        PID:4824
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        93⤵
        
        PID:4876
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        94⤵
        
        PID:5040
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        95⤵
        
        PID:4144
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        96⤵
        
        PID:4428
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        97⤵
        
        PID:4640
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        99⤵
        
        PID:4880
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        100⤵
        Drops file in System32 directory
        
        PID:4772
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        101⤵
        
        PID:3796
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        102⤵
        
        PID:5088
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        103⤵
        
        PID:1604
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        104⤵
        
        PID:1592
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        105⤵
        
        PID:744
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        106⤵
        
        PID:4560
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        107⤵
        
        PID:4716
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        108⤵
        
        PID:1304
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        109⤵
        
        PID:4256
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        108⤵
        
        PID:4180
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        106⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        107⤵
        
        PID:768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        107⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        107⤵
        
        PID:5016
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        105⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        106⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        106⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        106⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        106⤵
        
        PID:4168
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        104⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        105⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        105⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        105⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        105⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        105⤵
        
        PID:3676
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        103⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        104⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        104⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        104⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        104⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        104⤵
        
        PID:4244
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        102⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        103⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        103⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        103⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        103⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        103⤵
        
        PID:4148
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        101⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        102⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        102⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        102⤵
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        102⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        102⤵
        
        PID:740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        102⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        102⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        102⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        102⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        102⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        102⤵
        
        PID:2724
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        100⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        99⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        100⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        100⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        100⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        100⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        100⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        100⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        100⤵
        
        PID:5068
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        96⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        97⤵
        
        PID:4284
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        88⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        89⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        89⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        89⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        89⤵
        
        PID:3928
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        78⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        79⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        79⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        79⤵
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        79⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        79⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        79⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        79⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        79⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        79⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        79⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        79⤵
        
        PID:4244
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        55⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        56⤵
        
        PID:4328
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        41⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        Drops file in System32 directory
        
        PID:3868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        42⤵
        Drops file in System32 directory
        
        PID:4264
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        35⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        30⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        29⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        30⤵
        Drops file in System32 directory
        
        PID:4772
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        28⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        26⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        Views/modifies file attributes
        
        PID:3900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        27⤵
        
        PID:4152
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        25⤵
        
        PID:344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        26⤵
        
        PID:4176
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        22⤵
        
        PID:772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        23⤵
        
        PID:4136
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        19⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        18⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        19⤵
        
        PID:3892
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        17⤵
        
        PID:108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        18⤵
        
        PID:872
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        16⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        17⤵
        Views/modifies file attributes
        
        PID:4344
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        15⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        16⤵
        
        PID:3692
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        14⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        Drops file in System32 directory
        
        PID:568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        13⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        Views/modifies file attributes
        
        PID:3964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        14⤵
        
        PID:4336
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        12⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        13⤵
        Drops file in System32 directory
        
        PID:3952
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        11⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        12⤵
        
        PID:5016
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        9⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        Drops file in System32 directory
        
        PID:108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        10⤵
        
        PID:4132
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        8⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        9⤵
        
        PID:876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        9⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        9⤵
        
        PID:768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        9⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        9⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        9⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        9⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        9⤵
        
        PID:836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        9⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        9⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        9⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        9⤵
        
        PID:1784
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        7⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        8⤵
        
        PID:4320
      - C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        6⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        7⤵
        
        PID:2720
    - - C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SysWOW64\xr.bat" "
        5⤵
        
        PID:1940
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:2920
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:444
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:2224
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:1068
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:1048
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:1772
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:760
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:352
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:988
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:1568
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:2768
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:2864
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:2644
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:2956
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:1204
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:1276
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:2804
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:3040
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:2188
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:2092
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:2108
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:2920
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:1808
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:1276
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:1380
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:3364
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:3796
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:760
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:3596
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:3872
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:3632
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:3112
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:3648
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:3676
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:4196
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:4540
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:4876
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:5116
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:3936
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:4648
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:4704
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:4788
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        
        PID:3696
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
  - - C:\windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\SysWOW64\xr.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:1064
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:1884
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:236
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:2312
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2912
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:772
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:1708
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:680
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:3016
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:1472
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:1860
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
        5⤵
        
        PID:2316
- - C:\windows\SysWOW64\cmd.exe
    cmd /c ""C:\windows\SysWOW64\xr.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:1440
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:1852
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:284
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2512
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      System Location Discovery: System Language Discovery
      PID:2256
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      System Location Discovery: System Language Discovery
      PID:2868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      System Location Discovery: System Language Discovery
      PID:1584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      System Location Discovery: System Language Discovery
      PID:3288
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4060
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:3172
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:3928
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4616
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4256
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4964
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:5112
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:3672
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4180
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:288
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:108
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:1240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4920
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\windows\SysWOW64\wintemp.exe" -r -a -s -h
      4⤵
      PID:4172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\xr.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\d0ed37cfb9b28c9641b6644f80b1b635_JaffaCakes118.exe" -r -a -s -h
    3⤵
    PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "746076834209954260113567291078217042212093736472-669652591-588910112-659332638"
1⤵
PID:740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1125323230-670504243-7817730551541025450-1852812038-1942585734-386118665-1384442308"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1699681690425657125-1761315225-2091963723-1655853736-183595998314387987132140830551"
1⤵
PID:4608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "134412747517676882233465915821050423458110051062-1341130897-394170476-1742636642"
1⤵
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xr.bat

Filesize
332B

MD5
ac99d82700ade229df9eee92a78492c5

SHA1
814a53f90cde9506da548512f44af1374d90ff4f

SHA256
7e9be37bd1bcd0433b1c994bd01a2ebd87120fff61d0b05eb0ff6b78e43374ce

SHA512
a486dd9824153d889223f4e120082accfc0663c090e7a77e2df44a6bd3baa37e5e359f024b4a198e6bd1f0b8c62a6a083faab934e6571319e0df7c455b1abf75

Download Submit
C:\Windows\SysWOW64\xr.bat

Filesize
173B

MD5
a6874e526c1039494350316041762fd6

SHA1
b7623917c7f43bfca35d0e6718832a02e52bc804

SHA256
8d6be857eb7093b6010bda7c004745e15a8c4ed426e0cb3ae76f6a603a40540f

SHA512
bd82a45f68ce9ed44b33d7a625b9648efef87d3c00606f70f1e7caaba9cd87a82fb28582e736f03c0bf364996381c4ad3c901f4c7e41398eb194187651e78126

Download Submit
\Windows\SysWOW64\wintemp.exe

Filesize
17KB

MD5
d0ed37cfb9b28c9641b6644f80b1b635

SHA1
029c2b50b35c90fd7aed0041a7899f4584f908c1

SHA256
08d465423efc43b674308b6c4d50d7bd72e0a57e468287214243c3226ff7c162

SHA512
ae78816566681f8adf8a2621a11adacfe17be196c09d445fa96a8ece3c99f39f336c998ecf0ce592c7a17b3ce8173a1976a55ff249688a4eab240c32f001422d

Download Submit
memory/264-139-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/348-161-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/348-144-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/616-275-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/616-269-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/616-277-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/624-158-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/624-166-0x0000000002170000-0x000000000218D000-memory.dmp

Filesize
116KB

Download
memory/624-175-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/684-99-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/872-176-0x0000000003280000-0x000000000329D000-memory.dmp

Filesize
116KB

Download
memory/872-167-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/872-186-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1064-300-0x0000000003180000-0x000000000319D000-memory.dmp

Filesize
116KB

Download
memory/1064-314-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1064-315-0x0000000003180000-0x000000000319D000-memory.dmp

Filesize
116KB

Download
memory/1080-218-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1080-228-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1204-304-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1464-112-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1464-117-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1632-246-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1632-237-0x0000000002880000-0x000000000289D000-memory.dmp

Filesize
116KB

Download
memory/1632-235-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1648-206-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1648-219-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1736-223-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1736-220-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1892-57-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1892-79-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1920-233-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1920-225-0x0000000002100000-0x000000000211D000-memory.dmp

Filesize
116KB

Download
memory/1932-185-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1932-187-0x0000000003170000-0x000000000318D000-memory.dmp

Filesize
116KB

Download
memory/1932-196-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1960-313-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1972-154-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2008-221-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2044-297-0x0000000003030000-0x000000000304D000-memory.dmp

Filesize
116KB

Download
memory/2044-276-0x0000000003030000-0x000000000304D000-memory.dmp

Filesize
116KB

Download
memory/2044-296-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2144-318-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2144-319-0x0000000003070000-0x000000000308D000-memory.dmp

Filesize
116KB

Download
memory/2156-108-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2248-320-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2320-119-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2320-124-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2332-35-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2332-24-0x0000000003170000-0x000000000318D000-memory.dmp

Filesize
116KB

Download
memory/2332-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2408-86-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2496-229-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2496-258-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2496-20-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2496-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2496-234-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/2508-291-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2508-279-0x0000000003180000-0x000000000319D000-memory.dmp

Filesize
116KB

Download
memory/2508-282-0x0000000003180000-0x000000000319D000-memory.dmp

Filesize
116KB

Download
memory/2512-281-0x0000000003200000-0x000000000321D000-memory.dmp

Filesize
116KB

Download
memory/2512-278-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2512-280-0x0000000003200000-0x000000000321D000-memory.dmp

Filesize
116KB

Download
memory/2512-270-0x0000000003200000-0x000000000321D000-memory.dmp

Filesize
116KB

Download
memory/2512-271-0x0000000003200000-0x000000000321D000-memory.dmp

Filesize
116KB

Download
memory/2524-317-0x0000000003180000-0x000000000319D000-memory.dmp

Filesize
116KB

Download
memory/2564-272-0x0000000003170000-0x000000000318D000-memory.dmp

Filesize
116KB

Download
memory/2564-292-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2564-295-0x0000000003170000-0x000000000318D000-memory.dmp

Filesize
116KB

Download
memory/2704-50-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2704-26-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2704-40-0x0000000002F60000-0x0000000002F7D000-memory.dmp

Filesize
116KB

Download
memory/2708-205-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2768-299-0x00000000030C0000-0x00000000030DD000-memory.dmp

Filesize
116KB

Download
memory/2768-301-0x00000000030C0000-0x00000000030DD000-memory.dmp

Filesize
116KB

Download
memory/2768-294-0x00000000030C0000-0x00000000030DD000-memory.dmp

Filesize
116KB

Download
memory/2768-293-0x00000000030C0000-0x00000000030DD000-memory.dmp

Filesize
116KB

Download
memory/2768-298-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2840-227-0x00000000030C0000-0x00000000030DD000-memory.dmp

Filesize
116KB

Download
memory/2840-226-0x00000000030C0000-0x00000000030DD000-memory.dmp

Filesize
116KB

Download
memory/2840-224-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2840-208-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2840-217-0x00000000030C0000-0x00000000030DD000-memory.dmp

Filesize
116KB

Download
memory/2860-257-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2860-247-0x00000000034F0000-0x000000000350D000-memory.dmp

Filesize
116KB

Download
memory/2860-248-0x00000000034F0000-0x000000000350D000-memory.dmp

Filesize
116KB

Download
memory/2860-238-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2928-216-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2968-316-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2992-302-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2992-303-0x0000000003290000-0x00000000032AD000-memory.dmp

Filesize
116KB

Download
memory/3044-110-0x0000000001FA0000-0x0000000001FBD000-memory.dmp

Filesize
116KB

Download
memory/3044-138-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3052-54-0x00000000034E0000-0x00000000034FD000-memory.dmp

Filesize
116KB

Download
memory/3052-66-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3052-259-0x0000000003280000-0x000000000329D000-memory.dmp

Filesize
116KB

Download
memory/3052-268-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/15632-1532-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download