443a7b7a72d7254a23f1d7c812d7a4d79a85fb95e0c808205f2ff34605ae8fbd

Analysis

max time kernel
66s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe
Size

2KB
MD5

fcf2097110d5b445c1d9b3f417e2f674
SHA1

e71daa19bdda6a316f2f07100bc59507df155b31
SHA256

443a7b7a72d7254a23f1d7c812d7a4d79a85fb95e0c808205f2ff34605ae8fbd
SHA512

293489d97595d7e232525613563a5f8bf9eee569759c40121489288064ebd58f65fba018672b666f4860d788ecb9ad77a73f221bcae94bb6c700b2aa60567980

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2244	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
1240	txMXYMXY1015.exe
1904	txMXYMXY1015.exe
2720	txMXYMXY1015.exe
2764	txMXYMXY1015.exe
2204	txMXYMXY1015.exe
2632	txMXYMXY1015.exe
1492	txMXYMXY1015.exe
596	txMXYMXY1015.exe
2832	txMXYMXY1015.exe
2164	txMXYMXY1015.exe
1444	txMXYMXY1015.exe
2100	txMXYMXY1015.exe
2540	txMXYMXY1015.exe
2528	txMXYMXY1015.exe
2384	txMXYMXY1015.exe
2760	txMXYMXY1015.exe
2176	txMXYMXY1015.exe
2656	txMXYMXY1015.exe
2816	txMXYMXY1015.exe
596	txMXYMXY1015.exe
2504	txMXYMXY1015.exe
348	txMXYMXY1015.exe
2072	txMXYMXY1015.exe
1964	txMXYMXY1015.exe
996	txMXYMXY1015.exe
2472	txMXYMXY1015.exe
2296	txMXYMXY1015.exe
648	txMXYMXY1015.exe
1204	txMXYMXY1015.exe
2092	txMXYMXY1015.exe
2464	txMXYMXY1015.exe
1240	txMXYMXY1015.exe
2204	txMXYMXY1015.exe
780	txMXYMXY1015.exe
1660	txMXYMXY1015.exe
2820	txMXYMXY1015.exe
2172	txMXYMXY1015.exe
1832	txMXYMXY1015.exe
296	txMXYMXY1015.exe
1900	txMXYMXY1015.exe
2104	txMXYMXY1015.exe
1204	txMXYMXY1015.exe
2092	txMXYMXY1015.exe
1992	txMXYMXY1015.exe
1728	txMXYMXY1015.exe
2916	txMXYMXY1015.exe
952	txMXYMXY1015.exe
1212	txMXYMXY1015.exe
1716	txMXYMXY1015.exe
2524	txMXYMXY1015.exe
1180	txMXYMXY1015.exe
2736	txMXYMXY1015.exe
2172	txMXYMXY1015.exe
296	txMXYMXY1015.exe
3040	txMXYMXY1015.exe
2736	txMXYMXY1015.exe
2264	txMXYMXY1015.exe
2896	txMXYMXY1015.exe
2736	txMXYMXY1015.exe
2772	txMXYMXY1015.exe
3076	txMXYMXY1015.exe
3136	txMXYMXY1015.exe
3232	txMXYMXY1015.exe
3288	txMXYMXY1015.exe

Loads dropped DLL 64 IoCs

pid	Process
1244	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe
1244	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe
1240	txMXYMXY1015.exe
1240	txMXYMXY1015.exe
1904	txMXYMXY1015.exe
1904	txMXYMXY1015.exe
2720	txMXYMXY1015.exe
2720	txMXYMXY1015.exe
2764	txMXYMXY1015.exe
2764	txMXYMXY1015.exe
2204	txMXYMXY1015.exe
2204	txMXYMXY1015.exe
2632	txMXYMXY1015.exe
2632	txMXYMXY1015.exe
1492	txMXYMXY1015.exe
1492	txMXYMXY1015.exe
596	txMXYMXY1015.exe
596	txMXYMXY1015.exe
2832	txMXYMXY1015.exe
2832	txMXYMXY1015.exe
2164	txMXYMXY1015.exe
2164	txMXYMXY1015.exe
1444	txMXYMXY1015.exe
1444	txMXYMXY1015.exe
2540	txMXYMXY1015.exe
2540	txMXYMXY1015.exe
2528	txMXYMXY1015.exe
2528	txMXYMXY1015.exe
2384	txMXYMXY1015.exe
2384	txMXYMXY1015.exe
2760	txMXYMXY1015.exe
2760	txMXYMXY1015.exe
2176	txMXYMXY1015.exe
2176	txMXYMXY1015.exe
2656	txMXYMXY1015.exe
2656	txMXYMXY1015.exe
2816	txMXYMXY1015.exe
2816	txMXYMXY1015.exe
596	txMXYMXY1015.exe
596	txMXYMXY1015.exe
2504	txMXYMXY1015.exe
2504	txMXYMXY1015.exe
348	txMXYMXY1015.exe
348	txMXYMXY1015.exe
2072	txMXYMXY1015.exe
2072	txMXYMXY1015.exe
1964	txMXYMXY1015.exe
1964	txMXYMXY1015.exe
996	txMXYMXY1015.exe
996	txMXYMXY1015.exe
2472	txMXYMXY1015.exe
2472	txMXYMXY1015.exe
2296	txMXYMXY1015.exe
2296	txMXYMXY1015.exe
648	txMXYMXY1015.exe
648	txMXYMXY1015.exe
1204	txMXYMXY1015.exe
1204	txMXYMXY1015.exe
2092	txMXYMXY1015.exe
2092	txMXYMXY1015.exe
2464	txMXYMXY1015.exe
2464	txMXYMXY1015.exe
1240	txMXYMXY1015.exe
1240	txMXYMXY1015.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2244	1244	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	30
PID 1244 wrote to memory of 2244	1244	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	30
PID 1244 wrote to memory of 2244	1244	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	30
PID 1244 wrote to memory of 2244	1244	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	30
PID 1244 wrote to memory of 1240	1244	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	32
PID 1244 wrote to memory of 1240	1244	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	32
PID 1244 wrote to memory of 1240	1244	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	32
PID 1244 wrote to memory of 1240	1244	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	32
PID 1240 wrote to memory of 2356	1240	txMXYMXY1015.exe	33
PID 1240 wrote to memory of 2356	1240	txMXYMXY1015.exe	33
PID 1240 wrote to memory of 2356	1240	txMXYMXY1015.exe	33
PID 1240 wrote to memory of 2356	1240	txMXYMXY1015.exe	33
PID 1240 wrote to memory of 1904	1240	txMXYMXY1015.exe	34
PID 1240 wrote to memory of 1904	1240	txMXYMXY1015.exe	34
PID 1240 wrote to memory of 1904	1240	txMXYMXY1015.exe	34
PID 1240 wrote to memory of 1904	1240	txMXYMXY1015.exe	34
PID 1904 wrote to memory of 2460	1904	txMXYMXY1015.exe	36
PID 1904 wrote to memory of 2460	1904	txMXYMXY1015.exe	36
PID 1904 wrote to memory of 2460	1904	txMXYMXY1015.exe	36
PID 1904 wrote to memory of 2460	1904	txMXYMXY1015.exe	36
PID 1904 wrote to memory of 2720	1904	txMXYMXY1015.exe	37
PID 1904 wrote to memory of 2720	1904	txMXYMXY1015.exe	37
PID 1904 wrote to memory of 2720	1904	txMXYMXY1015.exe	37
PID 1904 wrote to memory of 2720	1904	txMXYMXY1015.exe	37
PID 2720 wrote to memory of 3048	2720	txMXYMXY1015.exe	39
PID 2720 wrote to memory of 3048	2720	txMXYMXY1015.exe	39
PID 2720 wrote to memory of 3048	2720	txMXYMXY1015.exe	39
PID 2720 wrote to memory of 3048	2720	txMXYMXY1015.exe	39
PID 2720 wrote to memory of 2764	2720	txMXYMXY1015.exe	40
PID 2720 wrote to memory of 2764	2720	txMXYMXY1015.exe	40
PID 2720 wrote to memory of 2764	2720	txMXYMXY1015.exe	40
PID 2720 wrote to memory of 2764	2720	txMXYMXY1015.exe	40
PID 2244 wrote to memory of 2952	2244	cmd.exe	42
PID 2356 wrote to memory of 3032	2356	cmd.exe	43
PID 2244 wrote to memory of 2952	2244	cmd.exe	42
PID 2356 wrote to memory of 3032	2356	cmd.exe	43
PID 2244 wrote to memory of 2952	2244	cmd.exe	42
PID 2356 wrote to memory of 3032	2356	cmd.exe	43
PID 2356 wrote to memory of 3032	2356	cmd.exe	43
PID 2244 wrote to memory of 2952	2244	cmd.exe	42
PID 2764 wrote to memory of 2640	2764	txMXYMXY1015.exe	44
PID 2764 wrote to memory of 2640	2764	txMXYMXY1015.exe	44
PID 2764 wrote to memory of 2640	2764	txMXYMXY1015.exe	44
PID 2764 wrote to memory of 2640	2764	txMXYMXY1015.exe	44
PID 3048 wrote to memory of 2748	3048	cmd.exe	46
PID 3048 wrote to memory of 2748	3048	cmd.exe	46
PID 3048 wrote to memory of 2748	3048	cmd.exe	46
PID 3048 wrote to memory of 2748	3048	cmd.exe	46
PID 2764 wrote to memory of 2204	2764	txMXYMXY1015.exe	45
PID 2764 wrote to memory of 2204	2764	txMXYMXY1015.exe	45
PID 2764 wrote to memory of 2204	2764	txMXYMXY1015.exe	45
PID 2764 wrote to memory of 2204	2764	txMXYMXY1015.exe	45
PID 2204 wrote to memory of 2624	2204	txMXYMXY1015.exe	47
PID 2204 wrote to memory of 2624	2204	txMXYMXY1015.exe	47
PID 2204 wrote to memory of 2624	2204	txMXYMXY1015.exe	47
PID 2204 wrote to memory of 2624	2204	txMXYMXY1015.exe	47
PID 2204 wrote to memory of 2632	2204	txMXYMXY1015.exe	48
PID 2204 wrote to memory of 2632	2204	txMXYMXY1015.exe	48
PID 2204 wrote to memory of 2632	2204	txMXYMXY1015.exe	48
PID 2204 wrote to memory of 2632	2204	txMXYMXY1015.exe	48
PID 2460 wrote to memory of 2732	2460	cmd.exe	50
PID 2460 wrote to memory of 2732	2460	cmd.exe	50
PID 2460 wrote to memory of 2732	2460	cmd.exe	50
PID 2460 wrote to memory of 2732	2460	cmd.exe	50

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4280	attrib.exe
5836	Process not Found
6912	Process not Found
5244	Process not Found
7024	Process not Found
944	Process not Found
10276	Process not Found
5432	attrib.exe
10288	Process not Found
5624	Process not Found
6964	Process not Found
10984	Process not Found
10980	Process not Found
5148	Process not Found
5620	Process not Found
8188	Process not Found
6684	Process not Found
9468	Process not Found
7156	Process not Found
11084	Process not Found
11072	Process not Found
6592	Process not Found
9320	Process not Found
6240	Process not Found
4276	Process not Found
1864	Process not Found
5664	Process not Found
7900	Process not Found
992	Process not Found
5976	Process not Found
6348	Process not Found
7968	Process not Found
5252	Process not Found
5636	Process not Found
6840	Process not Found
6540	Process not Found
6444	Process not Found
6264	Process not Found
4168	Process not Found
9500	Process not Found
5744	attrib.exe
11232	Process not Found
5472	Process not Found
10564	Process not Found
6928	Process not Found
6524	Process not Found
1116	Process not Found
5276	Process not Found
5280	Process not Found
6256	Process not Found
5856	Process not Found
6524	Process not Found
2664	Process not Found
7812	Process not Found
10104	Process not Found
6080	Process not Found
6392	Process not Found
10320	Process not Found
6988	Process not Found
5196	Process not Found
5672	Process not Found
8080	Process not Found
10984	Process not Found
10312	Process not Found

C:\Users\Admin\AppData\Local\Temp\fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\b3b4f3ed7898259438492.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe" -r -a -s -h
    3⤵
    PID:2952
- C:\Windows\SysWOW64\txMXYMXY1015.exe
  C:\Windows\system32\txMXYMXY1015.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\b3b4f3ed7898259438539.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:5384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:4052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:6060
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:5508
- - C:\Windows\SysWOW64\txMXYMXY1015.exe
    C:\Windows\system32\txMXYMXY1015.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\b3b4f3ed7898259438570.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:2220
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:1284
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:2696
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:2208
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:5344
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:4612
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:5776
  - - C:\Windows\SysWOW64\txMXYMXY1015.exe
      C:\Windows\system32\txMXYMXY1015.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259438601.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:2748
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:2976
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:276
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:1308
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:908
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:2544
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:2892
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:5416
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:5696
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:5420
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:6100
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:5364
    - - C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259438632.bat
        6⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:6012
      - C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259438648.bat
        7⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259438679.bat
        8⤵
        
        PID:676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        Views/modifies file attributes
        
        PID:5744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259438710.bat
        9⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259438726.bat
        10⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259438788.bat
        11⤵
        
        PID:576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259438819.bat
        12⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        13⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        13⤵
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        13⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        13⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        13⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        13⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        13⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259438882.bat
        13⤵
        
        PID:608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        13⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259438991.bat
        14⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        15⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        15⤵
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        15⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        15⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        15⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        15⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439069.bat
        15⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        16⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        16⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        16⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        16⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        16⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        16⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439147.bat
        16⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        17⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        17⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        17⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        17⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        17⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        17⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439272.bat
        17⤵
        
        PID:736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        18⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        18⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        18⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        18⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        18⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439381.bat
        18⤵
        
        PID:692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        19⤵
        
        PID:996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        19⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        19⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        19⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        19⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439412.bat
        19⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        20⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        20⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        20⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        20⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        20⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439428.bat
        20⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        21⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        21⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        21⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        21⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        21⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439443.bat
        21⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        22⤵
        
        PID:912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        22⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        22⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        22⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        22⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439459.bat
        22⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        23⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        23⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        23⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        23⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        23⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439490.bat
        23⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        24⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        24⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        24⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        24⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        24⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439506.bat
        24⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        25⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        25⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        25⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        25⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        25⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439521.bat
        25⤵
        
        PID:412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        26⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        26⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        26⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        26⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        26⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439553.bat
        26⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        27⤵
        
        PID:908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        27⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        27⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        27⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        27⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439568.bat
        27⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        28⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        28⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        28⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        28⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        28⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439584.bat
        28⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        29⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        29⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        29⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        29⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        29⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439599.bat
        29⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        30⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        30⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        30⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        30⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        30⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439615.bat
        30⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        31⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        31⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        31⤵
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        31⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        31⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        31⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439646.bat
        31⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        32⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        32⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        32⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        32⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        32⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439662.bat
        32⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        33⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        33⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        33⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        33⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439677.bat
        33⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        34⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        34⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        34⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        34⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        34⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439693.bat
        34⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        35⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        35⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        35⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        35⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        35⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        34⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439724.bat
        35⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        36⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        36⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        36⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        36⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        36⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        35⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439740.bat
        36⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        37⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        37⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        37⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        37⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        37⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        36⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439755.bat
        37⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        
        PID:912
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        37⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439755.bat
        38⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        39⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        39⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        39⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        39⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        39⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        38⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439771.bat
        39⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        40⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        40⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        40⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        40⤵
        Views/modifies file attributes
        
        PID:4280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        40⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        39⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439802.bat
        40⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        41⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        41⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        41⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        41⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        41⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        40⤵
        Executes dropped EXE
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439818.bat
        41⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        42⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        42⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        42⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        42⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        42⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        41⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439833.bat
        42⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        43⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        43⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        43⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        43⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        43⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        42⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439865.bat
        43⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        44⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        44⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        44⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        44⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        44⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        43⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439880.bat
        44⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        45⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        45⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        45⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        45⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        45⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        44⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439911.bat
        45⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        46⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        46⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        46⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        46⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        46⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        45⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439927.bat
        46⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        47⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        47⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        47⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        47⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        47⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        46⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439943.bat
        47⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        48⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        48⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        48⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        48⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        48⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        47⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439958.bat
        48⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        49⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        49⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        49⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        49⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        49⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        48⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259439989.bat
        49⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        50⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        50⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        50⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        50⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        50⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        49⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440005.bat
        50⤵
        
        PID:900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        51⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        51⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        51⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        51⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        51⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        50⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440052.bat
        51⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        52⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        52⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        52⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        52⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        52⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        51⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440067.bat
        52⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        53⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        53⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        53⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        53⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        52⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440099.bat
        53⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        54⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        54⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        54⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        54⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        54⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        53⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440130.bat
        54⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        55⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        55⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        55⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        55⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        55⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        54⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440161.bat
        55⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        56⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        56⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        56⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        56⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        56⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        55⤵
        Executes dropped EXE
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440177.bat
        56⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        57⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        57⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        57⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        57⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        57⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        56⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440192.bat
        57⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        58⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        58⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        58⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        58⤵
        
        PID:996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        58⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        57⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440208.bat
        58⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        58⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440223.bat
        59⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        60⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        60⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        60⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        60⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        60⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        59⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440255.bat
        60⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        61⤵
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        61⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        61⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        61⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        61⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        60⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440270.bat
        61⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        62⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        62⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        62⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        62⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        62⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        61⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440286.bat
        62⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        63⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        63⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        63⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        63⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        63⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        62⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440317.bat
        63⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        64⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        64⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        64⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        64⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        64⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        63⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440333.bat
        64⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        65⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        65⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        65⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        65⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        65⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        64⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440348.bat
        65⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        66⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        66⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        66⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        66⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        65⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440364.bat
        66⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        67⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        67⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        67⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        67⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        67⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        66⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440395.bat
        67⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        68⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        68⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        68⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        68⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        68⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        67⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440411.bat
        68⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        69⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        69⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        69⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        69⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        69⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        68⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440426.bat
        69⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        70⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        70⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        70⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        70⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        70⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        69⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440457.bat
        70⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        71⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        71⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        71⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        71⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        71⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        70⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440489.bat
        71⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        72⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        72⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        72⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        72⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        72⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        71⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440504.bat
        72⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        73⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        73⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        73⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        73⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        73⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        72⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440520.bat
        73⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        74⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        74⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        74⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        74⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        73⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440535.bat
        74⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        75⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        75⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        75⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        75⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        75⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        74⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440551.bat
        75⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        76⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        76⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        76⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        76⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        76⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        75⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440567.bat
        76⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        77⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        77⤵
        
        PID:908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        77⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        77⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        77⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        76⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440582.bat
        77⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        78⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        78⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        78⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        78⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        78⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        77⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440613.bat
        78⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        79⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        79⤵
        
        PID:996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        79⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        79⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        79⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        78⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440629.bat
        79⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        80⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        80⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        80⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        80⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        80⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        79⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440645.bat
        80⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        81⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        81⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        81⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        81⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        81⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        80⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440660.bat
        81⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        82⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        82⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        82⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        82⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        81⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440676.bat
        82⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        83⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        83⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        83⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        83⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        82⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440707.bat
        83⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        84⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        84⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        84⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        84⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        84⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        83⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440723.bat
        84⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        85⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        85⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        85⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        85⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        84⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440738.bat
        85⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        86⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        86⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        86⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        86⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        86⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        85⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440754.bat
        86⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        87⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        87⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        87⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        87⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        87⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        86⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440769.bat
        87⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        88⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        88⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        88⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        88⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        88⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        87⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440785.bat
        88⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        89⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        89⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        89⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        89⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        89⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        88⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440816.bat
        89⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        89⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440832.bat
        90⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        91⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        91⤵
        
        PID:912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        91⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        91⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        91⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        90⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440847.bat
        91⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        92⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        92⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        92⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        92⤵
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        91⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440863.bat
        92⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        93⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        93⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        93⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        93⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        92⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440879.bat
        93⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        94⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        94⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        94⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        94⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        94⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        93⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440894.bat
        94⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        95⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        95⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        95⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        95⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        95⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        94⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440910.bat
        95⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        96⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        96⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        96⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        96⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        96⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        95⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440925.bat
        96⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        97⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        97⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        97⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        97⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        97⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        96⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440957.bat
        97⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        98⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        98⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        98⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        98⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        98⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        97⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440972.bat
        98⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        99⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        99⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        99⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        99⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        99⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        98⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440972.bat
        99⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        100⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        100⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        100⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        100⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        100⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        99⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259440988.bat
        100⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        101⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        101⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        101⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        101⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        101⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        100⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441019.bat
        101⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        102⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        102⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        102⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        102⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        101⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441035.bat
        102⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        103⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        103⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        103⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        103⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        103⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        102⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441050.bat
        103⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        104⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        104⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        104⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        104⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        103⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441081.bat
        104⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        105⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        105⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        105⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        105⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        104⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441097.bat
        105⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        106⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        106⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        106⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        106⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        106⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        105⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441113.bat
        106⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        107⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        107⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        107⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        107⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        107⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        106⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441128.bat
        107⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        108⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        108⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        108⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        108⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        107⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441144.bat
        108⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        109⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        109⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        109⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        109⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        108⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441175.bat
        109⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        110⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        110⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        110⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        110⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        110⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        109⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441175.bat
        110⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        111⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        111⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        111⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        111⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        111⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        110⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441191.bat
        111⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        112⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        112⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        112⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        112⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        112⤵
        
        PID:780
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        111⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441206.bat
        112⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        113⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        113⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        113⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        113⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        112⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441237.bat
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        114⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        114⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        114⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        114⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        113⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441253.bat
        114⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        115⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        115⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        115⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        115⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        114⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441269.bat
        115⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        116⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        116⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        116⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        116⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        115⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441284.bat
        116⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        117⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        117⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        117⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        117⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        116⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441300.bat
        117⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        118⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        118⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        118⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        118⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        117⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441315.bat
        118⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        119⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        119⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        119⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        119⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        118⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441331.bat
        119⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        120⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        120⤵
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        120⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        120⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        119⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441347.bat
        120⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        121⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        121⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        121⤵
        
        PID:952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        121⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        120⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441362.bat
        121⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        122⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        122⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        122⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        122⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        121⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441393.bat
        122⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        123⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        123⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        123⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        123⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        122⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441409.bat
        123⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        124⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        124⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        124⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        124⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        123⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441425.bat
        124⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        125⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        125⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        125⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        124⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441440.bat
        125⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        126⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        126⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        126⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        126⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        125⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441456.bat
        126⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        127⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        127⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        127⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        127⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        126⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441487.bat
        127⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        128⤵
        Views/modifies file attributes
        
        PID:5432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        128⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        128⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        128⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        127⤵
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441503.bat
        128⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        129⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        129⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        129⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        129⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        128⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441518.bat
        129⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        130⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        130⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        130⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        130⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        130⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        129⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441549.bat
        130⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        131⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        131⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        131⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        131⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        130⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441565.bat
        131⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        132⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        132⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        132⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        132⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        132⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        131⤵
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441581.bat
        132⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        133⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        133⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        133⤵
        
        PID:308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        133⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        132⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441612.bat
        133⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        134⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        134⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        134⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        134⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        133⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441627.bat
        134⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        135⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        135⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        135⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        135⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        134⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441643.bat
        135⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        136⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        136⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        136⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        136⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        135⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441659.bat
        136⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        137⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        137⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        137⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        136⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441659.bat
        137⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        138⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        138⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        138⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        138⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        138⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        137⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441674.bat
        138⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        139⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        139⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        139⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        139⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        138⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441690.bat
        139⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        140⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        140⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        140⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        140⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        139⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441705.bat
        140⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        141⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        141⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        141⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        141⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        140⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259441737.bat
        141⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        142⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        142⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        142⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        142⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        141⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\b3b4f3ed7898259442251.bat
        142⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        143⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        143⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        143⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        143⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        142⤵
        
        PID:5636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2002158339-1584656578-860561674-9835385481995472670772760129739758023-1428855923"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-209860662619424771607090628161170695071756393020-3549631041554316911779493053"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1045777397-18941941321696292857-1966056651-1050175779773637365-1791148400-528455594"
1⤵
PID:2484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1459435145-420729858175843439-1044779053547913409-12499026121043251165-1342226405"
1⤵
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-66193309749520921840738122-78002059-165079181668786089529156496-265790104"
1⤵
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12914171566717470281991887548-2121913282-1092585041889260723400853538-314780387"
1⤵
PID:2700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "628435679713449062-1629740846127591841412789773641659919230-37883172-1158662658"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "414047218-1992183754-284132672-6791460571076867210-638751841-2024167348-20741126"
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "703224632-13989791431607890834-1478759177-203151018516419916201270671622008437350"
1⤵
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-649152488555931336-2736852111795811506615169918-4223130991507985773-1131953262"
1⤵
PID:596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1032021131-140662477993573732515122727621925427910-1349011843-19254427551153499255"
1⤵
PID:648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "376111321721108669-8679385585092642671602844990-42946069176600991532823564"
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-349718292-675544179-996689215-2133591219-263480964579402292-19381123651243479090"
1⤵
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18965963026767092071585701046-950248435-119598664598513712615742342321006049349"
1⤵
PID:872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20693722681763660989-6889273901004473709-74908455614401936131029250668-36085870"
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-916898861-637622332894438492472826767-1359975653-374034242404496861657275682"
1⤵
PID:1180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19404863281521809622-183045627858311648352753865-4251085982110542160-1728210110"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8680122352098987369-1306275909991434111-10866267867294412161505563782108642855"
1⤵
PID:3076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9477975665634629220143481472006151904-382992551506577177-20931934031604859"
1⤵
PID:3748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1750514534-32095869110593885581105148112295329601-778575639-1938943093-2050516391"
1⤵
PID:3684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-895469983-160821986377163313-473546620209749631425198106-916176740818538954"
1⤵
PID:3876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21396908222001297312488697945-1420226408-89088279315632844797286706501994057041"
1⤵
PID:3420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1768363910-174421380740117533-648549746198033645-3161850251642481428898848226"
1⤵
PID:4676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19284548951360225121-1778179330-10269702019576390783657639021835443096-669789816"
1⤵
PID:5108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1258247678116828439-1266823132549770638-1093114171804824182-115535419-583441711"
1⤵
PID:2244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18230078557418763-1421911767-982734694-879317684-1780808274-1701423423-1731163726"
1⤵
PID:2340

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\b3b4f3ed7898259438492.bat

Filesize
332B

MD5
c72c3eab9c8d82c9d22b7d67a68ce1a7

SHA1
037bc05b4d2e3e4745083292c8d4d57d6bc6ee08

SHA256
c7f37de787c40b75634cc2578081b73808ec8923e35acdb5a690747b32d78a8c

SHA512
93a324e56fd16210fbb877f3afd314ae8617d9a553cb87bbedee2a87efdb19f1a7a471b759ae9dc4c5ae158f4216441c873c017d2863dde362f8b01a80deb38e

Download Submit
C:\b3b4f3ed7898259438539.bat

Filesize
188B

MD5
836d6e971c3cff9c6ad95b98f7674bf3

SHA1
db85806ce514b137b761ceaacdb04968616ba2a5

SHA256
bf78dd12754570802a27d2b18ee5b6fde4613d72e9df9312197b41a090ae1d1c

SHA512
aff5aca002a87055252c1d4533b16a779fda67f379aaf89010cfb5d632980c97ec89c0867fc2a927c30e78e5af0ef9fb9712a29c79937a40dffef4eae2414681

Download Submit
\Windows\SysWOW64\txMXYMXY1015.exe

Filesize
2KB

MD5
fcf2097110d5b445c1d9b3f417e2f674

SHA1
e71daa19bdda6a316f2f07100bc59507df155b31

SHA256
443a7b7a72d7254a23f1d7c812d7a4d79a85fb95e0c808205f2ff34605ae8fbd

SHA512
293489d97595d7e232525613563a5f8bf9eee569759c40121489288064ebd58f65fba018672b666f4860d788ecb9ad77a73f221bcae94bb6c700b2aa60567980

Download Submit