443a7b7a72d7254a23f1d7c812d7a4d79a85fb95e0c808205f2ff34605ae8fbd

Analysis

max time kernel
110s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe
Size

2KB
MD5

fcf2097110d5b445c1d9b3f417e2f674
SHA1

e71daa19bdda6a316f2f07100bc59507df155b31
SHA256

443a7b7a72d7254a23f1d7c812d7a4d79a85fb95e0c808205f2ff34605ae8fbd
SHA512

293489d97595d7e232525613563a5f8bf9eee569759c40121489288064ebd58f65fba018672b666f4860d788ecb9ad77a73f221bcae94bb6c700b2aa60567980

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
5772	txMXYMXY1015.exe
3840	txMXYMXY1015.exe
6128	txMXYMXY1015.exe
5192	txMXYMXY1015.exe
4788	txMXYMXY1015.exe
1384	txMXYMXY1015.exe
4868	txMXYMXY1015.exe
2804	txMXYMXY1015.exe
5948	txMXYMXY1015.exe
5620	txMXYMXY1015.exe
5184	txMXYMXY1015.exe
6140	txMXYMXY1015.exe
5856	txMXYMXY1015.exe
5932	txMXYMXY1015.exe
5888	txMXYMXY1015.exe
5812	txMXYMXY1015.exe
3908	txMXYMXY1015.exe
3916	txMXYMXY1015.exe
4496	txMXYMXY1015.exe
1168	txMXYMXY1015.exe
5056	txMXYMXY1015.exe
464	txMXYMXY1015.exe
3300	txMXYMXY1015.exe
5252	txMXYMXY1015.exe
4816	txMXYMXY1015.exe
2944	txMXYMXY1015.exe
2140	txMXYMXY1015.exe
5428	txMXYMXY1015.exe
836	txMXYMXY1015.exe
4592	txMXYMXY1015.exe
2100	txMXYMXY1015.exe
4516	txMXYMXY1015.exe
1332	txMXYMXY1015.exe
5748	txMXYMXY1015.exe
3212	txMXYMXY1015.exe
3856	txMXYMXY1015.exe
1448	txMXYMXY1015.exe
2056	txMXYMXY1015.exe
6040	txMXYMXY1015.exe
5180	txMXYMXY1015.exe
2916	txMXYMXY1015.exe
6112	txMXYMXY1015.exe
5856	txMXYMXY1015.exe
5852	txMXYMXY1015.exe
3572	txMXYMXY1015.exe
3868	txMXYMXY1015.exe
1696	txMXYMXY1015.exe
5308	txMXYMXY1015.exe
2508	txMXYMXY1015.exe
1344	txMXYMXY1015.exe
4636	txMXYMXY1015.exe
5732	txMXYMXY1015.exe
1824	txMXYMXY1015.exe
3488	txMXYMXY1015.exe
5488	txMXYMXY1015.exe
2636	txMXYMXY1015.exe
2228	txMXYMXY1015.exe
2304	txMXYMXY1015.exe
5948	txMXYMXY1015.exe
5272	txMXYMXY1015.exe
5056	txMXYMXY1015.exe
3932	txMXYMXY1015.exe
1696	txMXYMXY1015.exe
2396	txMXYMXY1015.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File created	C:\Windows\SysWOW64\txMXYMXY1015.exe	txMXYMXY1015.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\txMXYMXY1015.exe	attrib.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
11928	13724	Process not Found	1640

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txMXYMXY1015.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 4588	1276	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	84
PID 1276 wrote to memory of 4588	1276	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	84
PID 1276 wrote to memory of 4588	1276	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	84
PID 1276 wrote to memory of 5772	1276	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	85
PID 1276 wrote to memory of 5772	1276	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	85
PID 1276 wrote to memory of 5772	1276	fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe	85
PID 5772 wrote to memory of 536	5772	txMXYMXY1015.exe	87
PID 5772 wrote to memory of 536	5772	txMXYMXY1015.exe	87
PID 5772 wrote to memory of 536	5772	txMXYMXY1015.exe	87
PID 5772 wrote to memory of 3840	5772	txMXYMXY1015.exe	88
PID 5772 wrote to memory of 3840	5772	txMXYMXY1015.exe	88
PID 5772 wrote to memory of 3840	5772	txMXYMXY1015.exe	88
PID 3840 wrote to memory of 5128	3840	txMXYMXY1015.exe	90
PID 3840 wrote to memory of 5128	3840	txMXYMXY1015.exe	90
PID 3840 wrote to memory of 5128	3840	txMXYMXY1015.exe	90
PID 3840 wrote to memory of 6128	3840	txMXYMXY1015.exe	91
PID 3840 wrote to memory of 6128	3840	txMXYMXY1015.exe	91
PID 3840 wrote to memory of 6128	3840	txMXYMXY1015.exe	91
PID 6128 wrote to memory of 5168	6128	txMXYMXY1015.exe	92
PID 6128 wrote to memory of 5168	6128	txMXYMXY1015.exe	92
PID 6128 wrote to memory of 5168	6128	txMXYMXY1015.exe	92
PID 6128 wrote to memory of 5192	6128	txMXYMXY1015.exe	93
PID 6128 wrote to memory of 5192	6128	txMXYMXY1015.exe	93
PID 6128 wrote to memory of 5192	6128	txMXYMXY1015.exe	93
PID 5192 wrote to memory of 5552	5192	txMXYMXY1015.exe	96
PID 5192 wrote to memory of 5552	5192	txMXYMXY1015.exe	96
PID 5192 wrote to memory of 5552	5192	txMXYMXY1015.exe	96
PID 5192 wrote to memory of 4788	5192	txMXYMXY1015.exe	230
PID 5192 wrote to memory of 4788	5192	txMXYMXY1015.exe	230
PID 5192 wrote to memory of 4788	5192	txMXYMXY1015.exe	230
PID 4788 wrote to memory of 1212	4788	txMXYMXY1015.exe	98
PID 4788 wrote to memory of 1212	4788	txMXYMXY1015.exe	98
PID 4788 wrote to memory of 1212	4788	txMXYMXY1015.exe	98
PID 4788 wrote to memory of 1384	4788	txMXYMXY1015.exe	99
PID 4788 wrote to memory of 1384	4788	txMXYMXY1015.exe	99
PID 4788 wrote to memory of 1384	4788	txMXYMXY1015.exe	99
PID 1384 wrote to memory of 1044	1384	txMXYMXY1015.exe	102
PID 1384 wrote to memory of 1044	1384	txMXYMXY1015.exe	102
PID 1384 wrote to memory of 1044	1384	txMXYMXY1015.exe	102
PID 1384 wrote to memory of 4868	1384	txMXYMXY1015.exe	103
PID 1384 wrote to memory of 4868	1384	txMXYMXY1015.exe	103
PID 1384 wrote to memory of 4868	1384	txMXYMXY1015.exe	103
PID 4868 wrote to memory of 4572	4868	txMXYMXY1015.exe	105
PID 4868 wrote to memory of 4572	4868	txMXYMXY1015.exe	105
PID 4868 wrote to memory of 4572	4868	txMXYMXY1015.exe	105
PID 4868 wrote to memory of 2804	4868	txMXYMXY1015.exe	106
PID 4868 wrote to memory of 2804	4868	txMXYMXY1015.exe	106
PID 4868 wrote to memory of 2804	4868	txMXYMXY1015.exe	106
PID 4588 wrote to memory of 4832	4588	cmd.exe	107
PID 4588 wrote to memory of 4832	4588	cmd.exe	107
PID 4588 wrote to memory of 4832	4588	cmd.exe	107
PID 2804 wrote to memory of 1324	2804	txMXYMXY1015.exe	109
PID 2804 wrote to memory of 1324	2804	txMXYMXY1015.exe	109
PID 2804 wrote to memory of 1324	2804	txMXYMXY1015.exe	109
PID 2804 wrote to memory of 5948	2804	txMXYMXY1015.exe	306
PID 2804 wrote to memory of 5948	2804	txMXYMXY1015.exe	306
PID 2804 wrote to memory of 5948	2804	txMXYMXY1015.exe	306
PID 5948 wrote to memory of 5628	5948	txMXYMXY1015.exe	111
PID 5948 wrote to memory of 5628	5948	txMXYMXY1015.exe	111
PID 5948 wrote to memory of 5628	5948	txMXYMXY1015.exe	111
PID 5948 wrote to memory of 5620	5948	txMXYMXY1015.exe	112
PID 5948 wrote to memory of 5620	5948	txMXYMXY1015.exe	112
PID 5948 wrote to memory of 5620	5948	txMXYMXY1015.exe	112
PID 5620 wrote to memory of 1856	5620	txMXYMXY1015.exe	115

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5852	attrib.exe
8596	attrib.exe
10252	attrib.exe
8584	attrib.exe
12732	Process not Found
6040	Process not Found
7052	attrib.exe
6336	attrib.exe
11452	Process not Found
14064	Process not Found
14064	Process not Found
8528	attrib.exe
10096	attrib.exe
11144	attrib.exe
11684	attrib.exe
9656	attrib.exe
12052	Process not Found
6272	attrib.exe
12068	attrib.exe
6932	attrib.exe
10884	attrib.exe
11532	Process not Found
13724	Process not Found
11848	Process not Found
10032	attrib.exe
11200	attrib.exe
11756	Process not Found
13588	Process not Found
12632	Process not Found
11924	Process not Found
11904	Process not Found
5572	attrib.exe
11772	attrib.exe
11400	Process not Found
12212	Process not Found
9016	attrib.exe
10032	attrib.exe
2396	attrib.exe
7328	Process not Found
2664	attrib.exe
12148	Process not Found
13088	Process not Found
12024	Process not Found
14284	Process not Found
7940	attrib.exe
8508	attrib.exe
11580	attrib.exe
11960	Process not Found
11972	Process not Found
10492	attrib.exe
13152	Process not Found
11752	Process not Found
13628	Process not Found
7576	attrib.exe
7312	attrib.exe
12616	Process not Found
9928	attrib.exe
6448	attrib.exe
9656	attrib.exe
8004	attrib.exe
8924	attrib.exe
10728	attrib.exe
11636	attrib.exe
13244	Process not Found

C:\Users\Admin\AppData\Local\Temp\fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247078.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\fcf2097110d5b445c1d9b3f417e2f674_JaffaCakes118.exe" -r -a -s -h
    3⤵
    PID:4832
- C:\Windows\SysWOW64\txMXYMXY1015.exe
  C:\Windows\system32\txMXYMXY1015.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247109.bat
    3⤵
    PID:536
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:6440
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:7720
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:8736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:9400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
      4⤵
      PID:8952
- - C:\Windows\SysWOW64\txMXYMXY1015.exe
    C:\Windows\system32\txMXYMXY1015.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247125.bat
      4⤵
      PID:5128
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:3848
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:5412
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:3920
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:8892
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:9840
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:10996
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        5⤵
        
        PID:12036
  - - C:\Windows\SysWOW64\txMXYMXY1015.exe
      C:\Windows\system32\txMXYMXY1015.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:6128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247140.bat
        5⤵
        
        PID:5168
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:3444
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:2280
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:6428
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:6644
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:9356
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        6⤵
        
        PID:11996
    - - C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247171.bat
        6⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        7⤵
        
        PID:11176
      - C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247203.bat
        7⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        Views/modifies file attributes
        
        PID:5852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        8⤵
        Views/modifies file attributes
        
        PID:2396
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247203.bat
        8⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:11452
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247234.bat
        9⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        Drops file in System32 directory
        
        PID:7164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        10⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247265.bat
        10⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        11⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247281.bat
        11⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        12⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247312.bat
        12⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        13⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        13⤵
        
        PID:972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        13⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        13⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        13⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        12⤵
        Executes dropped EXE
        
        PID:5184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247343.bat
        13⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        
        PID:512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        Drops file in System32 directory
        
        PID:8868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        14⤵
        Views/modifies file attributes
        
        PID:11684
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247390.bat
        14⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        15⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        15⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        15⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        15⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        15⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        14⤵
        Executes dropped EXE
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247406.bat
        15⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        16⤵
        
        PID:908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        16⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        16⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        16⤵
        Views/modifies file attributes
        
        PID:7940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        16⤵
        
        PID:11344
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        15⤵
        Executes dropped EXE
        
        PID:5932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247453.bat
        16⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        17⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        17⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        17⤵
        Drops file in System32 directory
        
        PID:8720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        17⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        16⤵
        Executes dropped EXE
        
        PID:5888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247515.bat
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        18⤵
        Views/modifies file attributes
        
        PID:5572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        18⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        18⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:8144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        18⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        18⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247546.bat
        18⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        19⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        19⤵
        Views/modifies file attributes
        
        PID:6272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        19⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        19⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        19⤵
        Views/modifies file attributes
        
        PID:12068
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        18⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247578.bat
        19⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        20⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        20⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        20⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        20⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        20⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        20⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247625.bat
        20⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        21⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        21⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        21⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        21⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        21⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        20⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247656.bat
        21⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        22⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        22⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        22⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        22⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        22⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        22⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        22⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        21⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247671.bat
        22⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        23⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        23⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        23⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        23⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        23⤵
        Drops file in System32 directory
        
        PID:9220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        23⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        23⤵
        
        PID:12036
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        22⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247703.bat
        23⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        24⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        24⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        24⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        24⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        24⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        23⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247750.bat
        24⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        25⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        25⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        25⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        25⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        25⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        24⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247796.bat
        25⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        26⤵
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        26⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        26⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        26⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        26⤵
        Drops file in System32 directory
        
        PID:8352
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        25⤵
        Executes dropped EXE
        
        PID:5252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247843.bat
        26⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        27⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:7092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        27⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        27⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        27⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        26⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247890.bat
        27⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        28⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        28⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        28⤵
        Drops file in System32 directory
        
        PID:7624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        28⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        28⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        28⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        28⤵
        Drops file in System32 directory
        
        PID:9832
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        27⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247937.bat
        28⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        29⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        29⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        29⤵
        Views/modifies file attributes
        
        PID:8528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        29⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        29⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        28⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898247968.bat
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        30⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        30⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        30⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        30⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        30⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        30⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248015.bat
        30⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        31⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        31⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        31⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        31⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        31⤵
        
        PID:11588
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        30⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248078.bat
        31⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        32⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        32⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        32⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        32⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        32⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:10788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        32⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        31⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248093.bat
        32⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        33⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        33⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        33⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        33⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        33⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        32⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248156.bat
        33⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        34⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        34⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        34⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        34⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        33⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248203.bat
        34⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        35⤵
        
        PID:884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        35⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        35⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        35⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        35⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        35⤵
        Views/modifies file attributes
        
        PID:11144
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        34⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248234.bat
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        36⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        36⤵
        
        PID:8
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        36⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        36⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        36⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        35⤵
        Executes dropped EXE
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248312.bat
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        37⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        37⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        37⤵
        Views/modifies file attributes
        
        PID:8924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        37⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        37⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        37⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        36⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248343.bat
        37⤵
        
        PID:764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:9852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        38⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        37⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248390.bat
        38⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        39⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        39⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        39⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        39⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        39⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        38⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248437.bat
        39⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        40⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        40⤵
        Views/modifies file attributes
        
        PID:7576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        40⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        40⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        39⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248468.bat
        40⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        41⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        41⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        41⤵
        Views/modifies file attributes
        
        PID:9016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        41⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        40⤵
        Executes dropped EXE
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248500.bat
        41⤵
        
        PID:5508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        42⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        42⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        42⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        42⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        41⤵
        Executes dropped EXE
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248562.bat
        42⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        43⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        43⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        43⤵
        Drops file in System32 directory
        
        PID:8172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        43⤵
        
        PID:11564
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        42⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248593.bat
        43⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        44⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        44⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        44⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        44⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        43⤵
        Executes dropped EXE
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248625.bat
        44⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        45⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        45⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        45⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        45⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        45⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        44⤵
        Executes dropped EXE
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248640.bat
        45⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        46⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        46⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        46⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        46⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        45⤵
        Executes dropped EXE
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248687.bat
        46⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        47⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        47⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        47⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        47⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        46⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248703.bat
        47⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        48⤵
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        48⤵
        Drops file in System32 directory
        
        PID:7544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        48⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        48⤵
        Drops file in System32 directory
        
        PID:10508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        48⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        47⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248734.bat
        48⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        49⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        49⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        49⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        49⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        48⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248796.bat
        49⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        50⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        50⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        50⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        50⤵
        Views/modifies file attributes
        
        PID:10884
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        49⤵
        Executes dropped EXE
        
        PID:5308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248843.bat
        50⤵
        
        PID:436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        51⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        51⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        51⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        51⤵
        Drops file in System32 directory
        
        PID:12084
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        50⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248937.bat
        51⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        52⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        52⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        52⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:11912
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        51⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898248953.bat
        52⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        53⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        53⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        53⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        53⤵
        
        PID:11756
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        52⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249000.bat
        53⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        54⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        54⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        54⤵
        Views/modifies file attributes
        
        PID:10032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:11512
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        53⤵
        Executes dropped EXE
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249015.bat
        54⤵
        
        PID:756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        55⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        55⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        55⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        55⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        54⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249046.bat
        55⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        56⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        56⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        56⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        56⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        55⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249078.bat
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        57⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        57⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        57⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        57⤵
        Views/modifies file attributes
        
        PID:9656
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        56⤵
        Executes dropped EXE
        
        PID:5488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249140.bat
        57⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        58⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        58⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        58⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        58⤵
        
        PID:11896
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        57⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249171.bat
        58⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        Views/modifies file attributes
        
        PID:2664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        Views/modifies file attributes
        
        PID:7312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        Views/modifies file attributes
        
        PID:10252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:10648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        59⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249187.bat
        59⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        60⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        60⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        60⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        60⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        59⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249203.bat
        60⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        61⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        61⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        61⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        61⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        61⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        60⤵
        Executes dropped EXE
        
        PID:5948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249265.bat
        61⤵
        
        PID:908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        62⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        62⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        62⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        62⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        62⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        62⤵
        
        PID:11460
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        61⤵
        Executes dropped EXE
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249312.bat
        62⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        63⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        63⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        63⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        63⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        63⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        63⤵
        
        PID:11808
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249375.bat
        63⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        64⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        64⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        64⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        64⤵
        
        PID:11544
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        63⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249390.bat
        64⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        65⤵
        Views/modifies file attributes
        
        PID:7052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        65⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        65⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        65⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        64⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249437.bat
        65⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        66⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        66⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        66⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        66⤵
        
        PID:11412
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        65⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249468.bat
        66⤵
        
        PID:3984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        67⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        67⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        67⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249515.bat
        67⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        68⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        68⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        68⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        67⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249562.bat
        68⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        69⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        69⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        69⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        69⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        68⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249609.bat
        69⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        70⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        70⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        70⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        70⤵
        
        PID:11712
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        69⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249656.bat
        70⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        71⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        71⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        71⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        71⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        70⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249750.bat
        71⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        72⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        72⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        72⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        71⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249828.bat
        72⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        73⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        73⤵
        Drops file in System32 directory
        
        PID:8900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        73⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        73⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        72⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249859.bat
        73⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        74⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        74⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        74⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        74⤵
        Views/modifies file attributes
        
        PID:9656
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        73⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249906.bat
        74⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        75⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        75⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        75⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        74⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898249968.bat
        75⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        76⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        76⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        76⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        76⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        75⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250000.bat
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:6788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        77⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        77⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        77⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        76⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250015.bat
        77⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        78⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        78⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        78⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        78⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        77⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250062.bat
        78⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        79⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        79⤵
        Views/modifies file attributes
        
        PID:8584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        79⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        78⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250125.bat
        79⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        80⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        80⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        80⤵
        Views/modifies file attributes
        
        PID:6448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        80⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        79⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250203.bat
        80⤵
        
        PID:6152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        81⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        81⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        81⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        81⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        81⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        81⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        81⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        80⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250234.bat
        81⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        82⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        82⤵
        Views/modifies file attributes
        
        PID:9928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        82⤵
        Drops file in System32 directory
        
        PID:8952
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:6260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250265.bat
        82⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        83⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        83⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        83⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        82⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250328.bat
        83⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        84⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        84⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        84⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        83⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250375.bat
        84⤵
        
        PID:5664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        85⤵
        Views/modifies file attributes
        
        PID:6336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        85⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        85⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        84⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250406.bat
        85⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        86⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        86⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        86⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        85⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250437.bat
        86⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        87⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        87⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        87⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        86⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250500.bat
        87⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        88⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        88⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        88⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:7104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250562.bat
        88⤵
        
        PID:6224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        89⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        89⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        89⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        88⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250609.bat
        89⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:11096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        90⤵
        Views/modifies file attributes
        
        PID:11772
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        89⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250625.bat
        90⤵
        
        PID:1832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        91⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        91⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        91⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        90⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250656.bat
        91⤵
        
        PID:6888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        92⤵
        Views/modifies file attributes
        
        PID:8596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        92⤵
        Drops file in System32 directory
        
        PID:9952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        92⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        92⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        91⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250687.bat
        92⤵
        
        PID:6880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        93⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        93⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        92⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250718.bat
        93⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        94⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        94⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        94⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        94⤵
        
        PID:412
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        93⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250781.bat
        94⤵
        
        PID:6236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        95⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        95⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        95⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        94⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250812.bat
        95⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        96⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        96⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        96⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        95⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250921.bat
        96⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        97⤵
        Drops file in System32 directory
        
        PID:8604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        97⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        97⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        97⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:7384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898250968.bat
        97⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        98⤵
        Views/modifies file attributes
        
        PID:8004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        98⤵
        Views/modifies file attributes
        
        PID:8508
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        97⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251015.bat
        98⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        99⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        99⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        98⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251109.bat
        99⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        100⤵
        Drops file in System32 directory
        
        PID:8052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        100⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        100⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        99⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251140.bat
        100⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        101⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        101⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:7880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251187.bat
        101⤵
        
        PID:7964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        102⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        102⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        102⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:11220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        102⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        101⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251203.bat
        102⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        103⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        103⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        103⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        102⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251265.bat
        103⤵
        
        PID:6416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        104⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        104⤵
        
        PID:10660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        104⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        103⤵
        Drops file in System32 directory
        
        PID:7124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251328.bat
        104⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        105⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        105⤵
        
        PID:412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        105⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        104⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251375.bat
        105⤵
        
        PID:7456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        106⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        106⤵
        
        PID:11084
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        105⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251421.bat
        106⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        107⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        107⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:7284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251484.bat
        107⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        108⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        108⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        108⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        108⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        108⤵
        Drops file in System32 directory
        
        PID:11756
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        107⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251515.bat
        108⤵
        
        PID:7392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        109⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        109⤵
        Views/modifies file attributes
        
        PID:10032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        109⤵
        
        PID:11512
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        108⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251546.bat
        109⤵
        
        PID:7120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        110⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        110⤵
        Drops file in System32 directory
        
        PID:9884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        110⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        110⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        109⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251578.bat
        110⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        111⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        111⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        111⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        110⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251656.bat
        111⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        112⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        112⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        112⤵
        
        PID:11032
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        111⤵
        Drops file in System32 directory
        
        PID:7492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251687.bat
        112⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        113⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        113⤵
        Drops file in System32 directory
        
        PID:9628
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        112⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251765.bat
        113⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        114⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        114⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        113⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251859.bat
        114⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        115⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        115⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        114⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251937.bat
        115⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        116⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        116⤵
        
        PID:11572
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        115⤵
        Drops file in System32 directory
        
        PID:8460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898251968.bat
        116⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        117⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        117⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        117⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        116⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252015.bat
        117⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        118⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        118⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        118⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        117⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252250.bat
        118⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        119⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        119⤵
        
        PID:11440
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        118⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252312.bat
        119⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        120⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        120⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        119⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252375.bat
        120⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        121⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        121⤵
        
        PID:12076
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        120⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252453.bat
        121⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        122⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        122⤵
        
        PID:12004
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        121⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252484.bat
        122⤵
        
        PID:8028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        123⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        123⤵
        
        PID:12096
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        122⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252578.bat
        123⤵
        
        PID:8648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        124⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        124⤵
        
        PID:11976
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        123⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252671.bat
        124⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        125⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        125⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        124⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252781.bat
        125⤵
        
        PID:6644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        126⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        126⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        125⤵
        Drops file in System32 directory
        
        PID:7328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252812.bat
        126⤵
        
        PID:8320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        127⤵
        Views/modifies file attributes
        
        PID:10492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        127⤵
        
        PID:11380
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        126⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252843.bat
        127⤵
        
        PID:8180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        128⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        128⤵
        Drops file in System32 directory
        
        PID:10848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        128⤵
        Drops file in System32 directory
        
        PID:8588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        128⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        128⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        127⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252875.bat
        128⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        129⤵
        Drops file in System32 directory
        
        PID:10956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        129⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        128⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252937.bat
        129⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        130⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        130⤵
        Drops file in System32 directory
        
        PID:10676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        130⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        130⤵
        Views/modifies file attributes
        
        PID:11200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        130⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        129⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898252984.bat
        130⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        131⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        131⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        130⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253062.bat
        131⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        132⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        132⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        131⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253078.bat
        132⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        133⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        133⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        132⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253140.bat
        133⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        134⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        134⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        133⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253203.bat
        134⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        135⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        135⤵
        
        PID:12208
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        134⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253234.bat
        135⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        136⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        136⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        135⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253296.bat
        136⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        137⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        136⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253328.bat
        137⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        138⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        137⤵
        Drops file in System32 directory
        
        PID:10088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253390.bat
        138⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        139⤵
        Drops file in System32 directory
        
        PID:8464
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        138⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253484.bat
        139⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        140⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        140⤵
        
        PID:12052
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        139⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253531.bat
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:7900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        141⤵
        Views/modifies file attributes
        
        PID:10096
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        140⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253562.bat
        141⤵
        
        PID:9036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:10432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        142⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        141⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253656.bat
        142⤵
        
        PID:6972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        143⤵
        Views/modifies file attributes
        
        PID:10728
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        142⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253703.bat
        143⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        144⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        144⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:11580
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        143⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253781.bat
        144⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        145⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        144⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253812.bat
        145⤵
        
        PID:8828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        146⤵
        Drops file in System32 directory
        
        PID:10976
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        145⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253859.bat
        146⤵
        
        PID:8268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        147⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        146⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253921.bat
        147⤵
        
        PID:9244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        148⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        147⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898253953.bat
        148⤵
        
        PID:9804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        149⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        148⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898254000.bat
        149⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        150⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        149⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898254406.bat
        150⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        151⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        151⤵
        Drops file in System32 directory
        
        PID:12128
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        150⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898254437.bat
        151⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        152⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        152⤵
        
        PID:12048
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        151⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898254515.bat
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:9744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        153⤵
        Drops file in System32 directory
        
        PID:11004
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        152⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898254546.bat
        153⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        154⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        153⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898254609.bat
        154⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:8732
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        154⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898254750.bat
        155⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        156⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        155⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898254812.bat
        156⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        157⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        156⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898254843.bat
        157⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        158⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        157⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898254875.bat
        158⤵
        
        PID:10948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        159⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        158⤵
        
        PID:10984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898254968.bat
        159⤵
        
        PID:11160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        160⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        159⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255000.bat
        160⤵
        
        PID:11236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        161⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:11244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255046.bat
        161⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        162⤵
        Views/modifies file attributes
        
        PID:11636
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        161⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255140.bat
        162⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        163⤵
        
        PID:11880
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        162⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255234.bat
        163⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        164⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        163⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255312.bat
        164⤵
        
        PID:9484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:10396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        165⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        164⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255375.bat
        165⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:11396
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        165⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255453.bat
        166⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        167⤵
        
        PID:12160
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        166⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255531.bat
        167⤵
        
        PID:9024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        168⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        167⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255609.bat
        168⤵
        
        PID:10500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        169⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        168⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255718.bat
        169⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        170⤵
        
        PID:11764
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        169⤵
        Drops file in System32 directory
        
        PID:8800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255796.bat
        170⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        171⤵
        
        PID:11328
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        170⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255859.bat
        171⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        172⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        171⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255906.bat
        172⤵
        
        PID:10876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        173⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        172⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255921.bat
        173⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        174⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        173⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898255953.bat
        174⤵
        
        PID:11020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        175⤵
        
        PID:11816
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        174⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256031.bat
        175⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        176⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        175⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256062.bat
        176⤵
        
        PID:11084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        177⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        176⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256140.bat
        177⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        177⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256218.bat
        178⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        179⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        178⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256265.bat
        179⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        179⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256390.bat
        180⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\txMXYMXY1015.exe" -r -a -s -h
        181⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:10452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256437.bat
        181⤵
        
        PID:10020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        181⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256484.bat
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:8616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        182⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256546.bat
        183⤵
        
        PID:11248
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        183⤵
        
        PID:11272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256609.bat
        184⤵
        
        PID:11388
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        184⤵
        
        PID:11404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256625.bat
        185⤵
        
        PID:11496
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        185⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256671.bat
        186⤵
        
        PID:11668
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:11676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256718.bat
        187⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        187⤵
        Drops file in System32 directory
        
        PID:11804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256812.bat
        188⤵
        
        PID:12132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        188⤵
        
        PID:12140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256859.bat
        189⤵
        
        PID:12260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        190⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        189⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256890.bat
        190⤵
        
        PID:10728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:11272
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        190⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898256953.bat
        191⤵
        
        PID:11484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        191⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898257000.bat
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:11784
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        192⤵
        
        PID:11792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898257062.bat
        193⤵
        
        PID:11804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        194⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        193⤵
        
        PID:11944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898257171.bat
        194⤵
        
        PID:11044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        194⤵
        
        PID:12032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898257187.bat
        195⤵
        
        PID:11480
        
        C:\Windows\SysWOW64\txMXYMXY1015.exe
        
        C:\Windows\system32\txMXYMXY1015.exe
        195⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\b3b4f3ed7898257296.bat
        196⤵
        
        PID:9272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\txMXYMXY1015.exe

Filesize
2KB

MD5
fcf2097110d5b445c1d9b3f417e2f674

SHA1
e71daa19bdda6a316f2f07100bc59507df155b31

SHA256
443a7b7a72d7254a23f1d7c812d7a4d79a85fb95e0c808205f2ff34605ae8fbd

SHA512
293489d97595d7e232525613563a5f8bf9eee569759c40121489288064ebd58f65fba018672b666f4860d788ecb9ad77a73f221bcae94bb6c700b2aa60567980

Download Submit
C:\b3b4f3ed7898247078.bat

Filesize
332B

MD5
c72c3eab9c8d82c9d22b7d67a68ce1a7

SHA1
037bc05b4d2e3e4745083292c8d4d57d6bc6ee08

SHA256
c7f37de787c40b75634cc2578081b73808ec8923e35acdb5a690747b32d78a8c

SHA512
93a324e56fd16210fbb877f3afd314ae8617d9a553cb87bbedee2a87efdb19f1a7a471b759ae9dc4c5ae158f4216441c873c017d2863dde362f8b01a80deb38e

Download Submit
C:\b3b4f3ed7898247140.bat

Filesize
188B

MD5
836d6e971c3cff9c6ad95b98f7674bf3

SHA1
db85806ce514b137b761ceaacdb04968616ba2a5

SHA256
bf78dd12754570802a27d2b18ee5b6fde4613d72e9df9312197b41a090ae1d1c

SHA512
aff5aca002a87055252c1d4533b16a779fda67f379aaf89010cfb5d632980c97ec89c0867fc2a927c30e78e5af0ef9fb9712a29c79937a40dffef4eae2414681

Download Submit
memory/9780-554-0x00007FF8B7570000-0x00007FF8B7765000-memory.dmp

Filesize
2.0MB

Download
memory/14296-555-0x00007FF8B7570000-0x00007FF8B7765000-memory.dmp

Filesize
2.0MB

Download