8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

Analysis

max time kernel
179s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 08:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe
Size

100KB
MD5

1d73d5a0d28be3ed5b18a3053000710e
SHA1

edda1e2d2e4870232ff882559ec46fb3455c272e
SHA256

8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f
SHA512

b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397
SSDEEP

768:i2NOlu0un69UIWT5tCoIGOwtwPyqPEEhEMigiqU6:iZluR66IWT5tcS2K7EhUtqD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1468	wlhins.exe
2616	wlhins.exe
1556	wlhins.exe
2832	wlhins.exe
1524	wlhins.exe
5068	wlhins.exe
800	wlhins.exe
2216	wlhins.exe
4656	wlhins.exe
4664	wlhins.exe
900	wlhins.exe
4896	wlhins.exe
4292	wlhins.exe
1624	wlhins.exe
2492	wlhins.exe
3192	wlhins.exe
4536	wlhins.exe
5100	wlhins.exe
4444	wlhins.exe
3540	wlhins.exe
4544	wlhins.exe
1640	wlhins.exe
4976	wlhins.exe
312	wlhins.exe
3484	wlhins.exe
3416	wlhins.exe
3676	wlhins.exe
2148	wlhins.exe
4540	wlhins.exe
3476	wlhins.exe
4136	wlhins.exe
4968	wlhins.exe
3188	wlhins.exe
5228	wlhins.exe
5356	wlhins.exe
5464	wlhins.exe
5576	wlhins.exe
5704	wlhins.exe
5908	wlhins.exe
6088	wlhins.exe
5436	wlhins.exe
5636	wlhins.exe
5792	wlhins.exe
5716	wlhins.exe
5140	wlhins.exe
5700	wlhins.exe
5292	wlhins.exe
5408	wlhins.exe
5944	wlhins.exe
6036	wlhins.exe
6248	wlhins.exe
6408	wlhins.exe
6556	wlhins.exe
6736	wlhins.exe
6868	wlhins.exe
7032	wlhins.exe
5508	wlhins.exe
2220	wlhins.exe
6456	wlhins.exe
6284	wlhins.exe
7156	wlhins.exe
6852	wlhins.exe
6916	wlhins.exe
5144	wlhins.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wlhpri.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wlhins.exe	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\wlhpri.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\wlhpri.dll	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\wlhpri.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\wlhins.exe	8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wlhpri.dll	wlhins.exe
File created	C:\Windows\SysWOW64\wlhpri.dll	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\wlhins.exe	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\wlhpri.dll	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\wlhpri.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wlhpri.dll	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\wlhpri.dll	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\wlhins.exe	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\wlhins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\wlhpri.dll	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\wlhins.exe	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\wlhins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wlhpri.dll	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wlhpri.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\wlhins.exe	wlhins.exe
File created	C:\Windows\SysWOW64\wlhpri.dll	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wlhpri.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\wlhpri.dll	wlhins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found

Program crash 8 IoCs

pid	pid_target	Process	procid_target
6440	7688	Process not Found	2546
12768	6440	Process not Found	2562
10428	15304	Process not Found	2582
14484	14624	Process not Found	2525
5536	676	Process not Found	2533
11256	14380	Process not Found	2724
11520	8188	Process not Found	2794
5508	6376	Process not Found	2892

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ThreadingModel = "Apartment"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ThreadingModel = "Apartment"	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ThreadingModel = "Apartment"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ThreadingModel = "Apartment"	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ThreadingModel = "Apartment"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}	8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ThreadingModel = "Apartment"	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ThreadingModel = "Apartment"	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ThreadingModel = "Apartment"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ThreadingModel = "Apartment"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ThreadingModel = "Apartment"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhpri.dll"	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	wlhins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5182C1EB-375C-573D-1F5E-234552345215}\InprocServer32	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
920	8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe
920	8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe
1468	wlhins.exe
1468	wlhins.exe
2616	wlhins.exe
2616	wlhins.exe
1556	wlhins.exe
1556	wlhins.exe
2832	wlhins.exe
2832	wlhins.exe
1524	wlhins.exe
1524	wlhins.exe
5068	wlhins.exe
5068	wlhins.exe
800	wlhins.exe
800	wlhins.exe
2216	wlhins.exe
2216	wlhins.exe
4656	wlhins.exe
4656	wlhins.exe
4664	wlhins.exe
4664	wlhins.exe
900	wlhins.exe
900	wlhins.exe
4896	wlhins.exe
4896	wlhins.exe
4292	wlhins.exe
4292	wlhins.exe
1624	wlhins.exe
1624	wlhins.exe
2492	wlhins.exe
2492	wlhins.exe
3192	wlhins.exe
3192	wlhins.exe
4536	wlhins.exe
4536	wlhins.exe
5100	wlhins.exe
5100	wlhins.exe
4444	wlhins.exe
4444	wlhins.exe
3540	wlhins.exe
3540	wlhins.exe
4544	wlhins.exe
4544	wlhins.exe
1640	wlhins.exe
1640	wlhins.exe
312	wlhins.exe
312	wlhins.exe
3484	wlhins.exe
3484	wlhins.exe
3416	wlhins.exe
3416	wlhins.exe
3676	wlhins.exe
3676	wlhins.exe
2148	wlhins.exe
2148	wlhins.exe
4540	wlhins.exe
4540	wlhins.exe
3476	wlhins.exe
3476	wlhins.exe
4136	wlhins.exe
4136	wlhins.exe
4968	wlhins.exe
4968	wlhins.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 220	920	8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe	81
PID 920 wrote to memory of 220	920	8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe	81
PID 920 wrote to memory of 220	920	8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe	81
PID 920 wrote to memory of 1468	920	8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe	83
PID 920 wrote to memory of 1468	920	8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe	83
PID 920 wrote to memory of 1468	920	8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe	83
PID 1468 wrote to memory of 524	1468	wlhins.exe	84
PID 1468 wrote to memory of 524	1468	wlhins.exe	84
PID 1468 wrote to memory of 524	1468	wlhins.exe	84
PID 1468 wrote to memory of 2616	1468	wlhins.exe	87
PID 1468 wrote to memory of 2616	1468	wlhins.exe	87
PID 1468 wrote to memory of 2616	1468	wlhins.exe	87
PID 220 wrote to memory of 3392	220	cmd.exe	86
PID 220 wrote to memory of 3392	220	cmd.exe	86
PID 220 wrote to memory of 3392	220	cmd.exe	86
PID 2616 wrote to memory of 4468	2616	wlhins.exe	89
PID 2616 wrote to memory of 4468	2616	wlhins.exe	89
PID 2616 wrote to memory of 4468	2616	wlhins.exe	89
PID 2616 wrote to memory of 1556	2616	wlhins.exe	91
PID 2616 wrote to memory of 1556	2616	wlhins.exe	91
PID 2616 wrote to memory of 1556	2616	wlhins.exe	91
PID 4468 wrote to memory of 4876	4468	cmd.exe	92
PID 4468 wrote to memory of 4876	4468	cmd.exe	92
PID 4468 wrote to memory of 4876	4468	cmd.exe	92
PID 524 wrote to memory of 2180	524	cmd.exe	93
PID 524 wrote to memory of 2180	524	cmd.exe	93
PID 524 wrote to memory of 2180	524	cmd.exe	93
PID 1556 wrote to memory of 4260	1556	wlhins.exe	94
PID 1556 wrote to memory of 4260	1556	wlhins.exe	94
PID 1556 wrote to memory of 4260	1556	wlhins.exe	94
PID 1556 wrote to memory of 2832	1556	wlhins.exe	96
PID 1556 wrote to memory of 2832	1556	wlhins.exe	96
PID 1556 wrote to memory of 2832	1556	wlhins.exe	96
PID 4260 wrote to memory of 4088	4260	cmd.exe	97
PID 4260 wrote to memory of 4088	4260	cmd.exe	97
PID 4260 wrote to memory of 4088	4260	cmd.exe	97
PID 4468 wrote to memory of 3540	4468	cmd.exe	98
PID 4468 wrote to memory of 3540	4468	cmd.exe	98
PID 4468 wrote to memory of 3540	4468	cmd.exe	98
PID 524 wrote to memory of 4304	524	cmd.exe	99
PID 524 wrote to memory of 4304	524	cmd.exe	99
PID 524 wrote to memory of 4304	524	cmd.exe	99
PID 2832 wrote to memory of 796	2832	wlhins.exe	100
PID 2832 wrote to memory of 796	2832	wlhins.exe	100
PID 2832 wrote to memory of 796	2832	wlhins.exe	100
PID 220 wrote to memory of 3912	220	cmd.exe	101
PID 220 wrote to memory of 3912	220	cmd.exe	101
PID 220 wrote to memory of 3912	220	cmd.exe	101
PID 2832 wrote to memory of 1524	2832	wlhins.exe	103
PID 2832 wrote to memory of 1524	2832	wlhins.exe	103
PID 2832 wrote to memory of 1524	2832	wlhins.exe	103
PID 220 wrote to memory of 4312	220	cmd.exe	104
PID 220 wrote to memory of 4312	220	cmd.exe	104
PID 220 wrote to memory of 4312	220	cmd.exe	104
PID 4260 wrote to memory of 2204	4260	cmd.exe	105
PID 4260 wrote to memory of 2204	4260	cmd.exe	105
PID 4260 wrote to memory of 2204	4260	cmd.exe	105
PID 1524 wrote to memory of 2812	1524	wlhins.exe	106
PID 1524 wrote to memory of 2812	1524	wlhins.exe	106
PID 1524 wrote to memory of 2812	1524	wlhins.exe	106
PID 796 wrote to memory of 4624	796	cmd.exe	108
PID 796 wrote to memory of 4624	796	cmd.exe	108
PID 796 wrote to memory of 4624	796	cmd.exe	108
PID 796 wrote to memory of 2492	796	cmd.exe	109

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
8220	Process not Found
6960	Process not Found
6560	Process not Found
15828	Process not Found
9124	Process not Found
5024	Process not Found
15020	Process not Found
4108	Process not Found
5536	Process not Found
4112	attrib.exe
5136	attrib.exe
14048	Process not Found
10960	Process not Found
12276	Process not Found
16220	Process not Found
12048	Process not Found
1600	Process not Found
15940	Process not Found
6020	Process not Found
13320	Process not Found
1288	Process not Found
7516	attrib.exe
5376	Process not Found
7668	Process not Found
3732	Process not Found
5024	Process not Found
6308	Process not Found
9680	Process not Found
9960	Process not Found
10364	Process not Found
7988	Process not Found
8800	Process not Found
6716	Process not Found
15204	Process not Found
10772	Process not Found
12760	Process not Found
6088	Process not Found
13876	Process not Found
8576	Process not Found
11292	Process not Found
13856	Process not Found
10940	Process not Found
7792	Process not Found
14244	Process not Found
14836	Process not Found
6304	Process not Found
7712	Process not Found
12644	Process not Found
3012	Process not Found
11248	Process not Found
6280	attrib.exe
14632	Process not Found
11820	Process not Found
12304	Process not Found
16356	Process not Found
2424	Process not Found
13412	Process not Found
6444	Process not Found
11580	Process not Found
5204	attrib.exe
4124	Process not Found
6476	Process not Found
4592	Process not Found
7836	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe
"C:\Users\Admin\AppData\Local\Temp\8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240611906.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:4184
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\DFD240653015.bat
      4⤵
      PID:5540
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:6368
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7260
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:6968
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7784
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:8740
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6432
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6968
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:7660
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6584
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:7784
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:8568
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:9188
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:9024
- C:\Windows\SysWOW64\wlhins.exe
  C:\Windows\system32\wlhins.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240612406.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4304
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4280
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5488
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5288
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:6368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:7268
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:7648
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:7272
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:7896
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:10160
- - C:\Windows\SysWOW64\wlhins.exe
    C:\Windows\system32\wlhins.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\DFD240612578.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4876
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3872
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:544
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1292
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4776
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3480
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5056
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:64
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:3824
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4088
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1340
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3460
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5720
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:6032
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:6392
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:6660
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7212
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:6424
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:8076
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7500
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:9872
  - - C:\Windows\SysWOW64\wlhins.exe
      C:\Windows\system32\wlhins.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240629718.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4260
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4088
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2204
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2760
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5072
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5092
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:632
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:672
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4380
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:2100
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5992
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5864
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:6772
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:6548
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:7892
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:8396
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:9252
    - - C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240632265.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:10232
      - C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240632406.bat
        7⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240632531.bat
        8⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240632640.bat
        9⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        Drops file in System32 directory
        
        PID:4644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240632796.bat
        10⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240652187.bat
        12⤵
        
        PID:4184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240633062.bat
        11⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240633250.bat
        12⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240633406.bat
        13⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:6884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642171.bat
        14⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642265.bat
        15⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642343.bat
        16⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642421.bat
        17⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648375.bat
        18⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:6500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648546.bat
        19⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5100
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649062.bat
        21⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649171.bat
        22⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648953.bat
        20⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:9608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240648312.bat
    3⤵
    PID:2188
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      PID:4128
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      PID:4360
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      PID:4736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      PID:3228
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      PID:6020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:5136
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      PID:6400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      PID:6360
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      PID:6632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      PID:6764
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      PID:8056
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      PID:8788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wlhins.exe" -r -a -s -h
      4⤵
      PID:9600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240642875.bat
  2⤵
  PID:4744
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f.exe" -r -a -s -h
    3⤵
    PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240649265.bat
1⤵
PID:3524
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2416
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4944
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5772
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6120
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6960
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6892
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7276
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:8016
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8304
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8256

C:\Windows\SysWOW64\wlhins.exe
C:\Windows\system32\wlhins.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240649390.bat
  2⤵
  PID:2404
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:32
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6380
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:7812
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:7476
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:8536
  - - C:\Windows\SysWOW64\wlhins.exe
      C:\Windows\system32\wlhins.exe
      4⤵
      PID:9308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240657843.bat
        5⤵
        
        PID:9444
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:10096
    - - C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        5⤵
        Modifies registry class
        
        PID:9512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240657937.bat
        6⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:9796
      - C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        6⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240658031.bat
        7⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        7⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        8⤵
        Drops file in System32 directory
        
        PID:10068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240658234.bat
        9⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        9⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        10⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240658437.bat
        11⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        11⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        12⤵
        Modifies registry class
        
        PID:9788
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        13⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240658718.bat
        14⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        14⤵
        Drops file in System32 directory
        
        PID:8896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240658843.bat
        15⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        15⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240658937.bat
        16⤵
        
        PID:9792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        16⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240659046.bat
        17⤵
        
        PID:9576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240658625.bat
        13⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240658531.bat
        12⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240658343.bat
        10⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240658140.bat
        8⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:8420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\DFD240657718.bat
      4⤵
      PID:9224
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:8316
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:10020
- C:\Windows\SysWOW64\wlhins.exe
  C:\Windows\system32\wlhins.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240649484.bat
    3⤵
    PID:4192
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5328
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:5192
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:6032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:5320
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:6892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:8156
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:7868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:8328
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:9400
- - C:\Windows\SysWOW64\wlhins.exe
    C:\Windows\system32\wlhins.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\DFD240649578.bat
      4⤵
      PID:5036
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1272
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4608
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        Views/modifies file attributes
        
        PID:4112
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5260
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:6076
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:6368
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:6732
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7044
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:7200
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7432
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7340
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:9432
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:8596
  - - C:\Windows\SysWOW64\wlhins.exe
      C:\Windows\system32\wlhins.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649671.bat
        5⤵
        
        PID:3828
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4996
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5748
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5476
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:7152
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:7068
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:7360
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:7204
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:7876
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:7940
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:7932
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:9068
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:8876
    - - C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3416
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649796.bat
        6⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:7548
      - C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649890.bat
        7⤵
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240650015.bat
        8⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240650109.bat
        9⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240657625.bat
        11⤵
        
        PID:8664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        11⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240650203.bat
        10⤵
        
        PID:424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240650343.bat
        11⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4968
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        12⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240650531.bat
        13⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240651671.bat
        15⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:7488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:6564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240650625.bat
        14⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        14⤵
        Executes dropped EXE
        
        PID:5356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240650718.bat
        15⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:10032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240650812.bat
        16⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240650906.bat
        17⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240651062.bat
        18⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        18⤵
        Executes dropped EXE
        
        PID:5908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240651156.bat
        19⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        19⤵
        Executes dropped EXE
        
        PID:6088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240651328.bat
        20⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        20⤵
        Executes dropped EXE
        
        PID:5436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240651468.bat
        21⤵
        
        PID:3872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:9364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        21⤵
        Executes dropped EXE
        
        PID:5636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240651593.bat
        22⤵
        
        PID:5264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        Views/modifies file attributes
        
        PID:6280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        22⤵
        Executes dropped EXE
        
        PID:5792
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240651750.bat
        24⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        24⤵
        Executes dropped EXE
        
        PID:5140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240651828.bat
        25⤵
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        Views/modifies file attributes
        
        PID:7516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240651921.bat
        26⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        Views/modifies file attributes
        
        PID:5204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240652000.bat
        27⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        27⤵
        Executes dropped EXE
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240652093.bat
        28⤵
        
        PID:5136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        28⤵
        Executes dropped EXE
        
        PID:5944
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240652265.bat
        30⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240653843.bat
        32⤵
        
        PID:6372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        32⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240653968.bat
        33⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        33⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240654437.bat
        34⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        34⤵
        Modifies registry class
        
        PID:7696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240654562.bat
        35⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        35⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240652359.bat
        31⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        Drops file in System32 directory
        
        PID:8116
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        33⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240655343.bat
        34⤵
        
        PID:7204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        34⤵
        Modifies registry class
        
        PID:7628
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        35⤵
        Modifies registry class
        
        PID:7880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240655531.bat
        36⤵
        
        PID:8128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        36⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240655640.bat
        37⤵
        
        PID:5216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        37⤵
        Modifies registry class
        
        PID:7816
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        38⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        39⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240655921.bat
        40⤵
        
        PID:7448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        40⤵
        Drops file in System32 directory
        
        PID:7344
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        41⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240656015.bat
        41⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240655828.bat
        39⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240655734.bat
        38⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240655437.bat
        35⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        Drops file in System32 directory
        
        PID:8624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:7836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240652468.bat
        32⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240652562.bat
        33⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240650437.bat
        12⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:9024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240652640.bat
1⤵
PID:6808
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6148
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6280
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7372
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8672
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9780

C:\Windows\SysWOW64\wlhins.exe
C:\Windows\system32\wlhins.exe
1⤵
- Executes dropped EXE
PID:6868
- C:\Windows\SysWOW64\wlhins.exe
  C:\Windows\system32\wlhins.exe
  2⤵
  - Executes dropped EXE
  PID:7032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240652828.bat
    3⤵
    PID:7116
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:6988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:7300
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:7596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:7860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:8992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:9952
- - C:\Windows\SysWOW64\wlhins.exe
    C:\Windows\system32\wlhins.exe
    3⤵
    - Executes dropped EXE
    PID:5508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\DFD240652921.bat
      4⤵
      PID:5984
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:6880
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7060
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:6480
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7432
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7396
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7888
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:8764
  - - C:\Windows\SysWOW64\wlhins.exe
      C:\Windows\system32\wlhins.exe
      4⤵
      Executes dropped EXE
      PID:2220
    - - C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6456
      - C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        6⤵
        Executes dropped EXE
        
        PID:6284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240653218.bat
        7⤵
        
        PID:7148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240653312.bat
        8⤵
        
        PID:6800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        8⤵
        Executes dropped EXE
        
        PID:6852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240653421.bat
        9⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        Drops file in System32 directory
        
        PID:8648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        10⤵
        Executes dropped EXE
        
        PID:5144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240653515.bat
        10⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:9764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240653109.bat
        6⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        Drops file in System32 directory
        
        PID:7284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:10048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240652734.bat
  2⤵
  PID:6972
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6576
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:7972
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:7432
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:7808
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:9656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240653609.bat
1⤵
PID:6500
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6984
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7492
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8248
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8152

C:\Windows\SysWOW64\wlhins.exe
C:\Windows\system32\wlhins.exe
1⤵
- Modifies registry class
PID:7060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240653765.bat
  2⤵
  PID:6368
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:7740
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:7044
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:8940
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:9844
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:10216
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:9668
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:10032
- C:\Windows\SysWOW64\wlhins.exe
  C:\Windows\system32\wlhins.exe
  2⤵
  PID:6936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240654687.bat
1⤵
PID:8008
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7724
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7944
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8892
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6188

C:\Windows\SysWOW64\wlhins.exe
C:\Windows\system32\wlhins.exe
1⤵
PID:6892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240654906.bat
  2⤵
  PID:7288
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:7212
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:8648
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:8612
- C:\Windows\SysWOW64\wlhins.exe
  C:\Windows\system32\wlhins.exe
  2⤵
  PID:7788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240655062.bat
    3⤵
    PID:7184
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:7620
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:8736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:9484
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:8268
- - C:\Windows\SysWOW64\wlhins.exe
    C:\Windows\system32\wlhins.exe
    3⤵
    PID:6888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240654812.bat
1⤵
PID:7504
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7624
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9164
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9288
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240655156.bat
1⤵
PID:6096
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7832
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9044
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8768
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10136

C:\Windows\SysWOW64\wlhins.exe
C:\Windows\system32\wlhins.exe
1⤵
PID:8116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240655250.bat
  2⤵
  PID:7820
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6224
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:8208
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:7992

C:\Windows\SysWOW64\wlhins.exe
C:\Windows\system32\wlhins.exe
1⤵
PID:8176

C:\Windows\SysWOW64\wlhins.exe
C:\Windows\system32\wlhins.exe
1⤵
- Drops file in System32 directory
PID:8476
- C:\Windows\SysWOW64\wlhins.exe
  C:\Windows\system32\wlhins.exe
  2⤵
  PID:8712
- - C:\Windows\SysWOW64\wlhins.exe
    C:\Windows\system32\wlhins.exe
    3⤵
    - Modifies registry class
    PID:8828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\DFD240656437.bat
      4⤵
      PID:8920
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:8804
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:8440
  - - C:\Windows\SysWOW64\wlhins.exe
      C:\Windows\system32\wlhins.exe
      4⤵
      Modifies registry class
      PID:8980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240656546.bat
        5⤵
        
        PID:9076
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:8308
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:10208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240656343.bat
    3⤵
    PID:8772
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:9024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:9484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240656203.bat
  2⤵
  PID:8552
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6964
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:9704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240656109.bat
1⤵
PID:8384
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8164
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9492

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8804

C:\Windows\SysWOW64\wlhins.exe
C:\Windows\system32\wlhins.exe
1⤵
- Modifies registry class
PID:7192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240656750.bat
  2⤵
  PID:7320
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:8936
- C:\Windows\SysWOW64\wlhins.exe
  C:\Windows\system32\wlhins.exe
  2⤵
  PID:7872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240656843.bat
    3⤵
    PID:8528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:8224
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:9400
- - C:\Windows\SysWOW64\wlhins.exe
    C:\Windows\system32\wlhins.exe
    3⤵
    - Modifies registry class
    PID:8720
  - - C:\Windows\SysWOW64\wlhins.exe
      C:\Windows\system32\wlhins.exe
      4⤵
      PID:9124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240657062.bat
        5⤵
        
        PID:8120
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:8304
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:9824
    - - C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        5⤵
        
        PID:8236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240657156.bat
        6⤵
        
        PID:8640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:10048
      - C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        6⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240657250.bat
        7⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        7⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240657343.bat
        8⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        8⤵
        Modifies registry class
        
        PID:8928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240657437.bat
        9⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        9⤵
        Drops file in System32 directory
        
        PID:7544
        
        C:\Windows\SysWOW64\wlhins.exe
        
        C:\Windows\system32\wlhins.exe
        10⤵
        Modifies registry class
        
        PID:8884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240657531.bat
        10⤵
        
        PID:8620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\DFD240656937.bat
      4⤵
      PID:7196
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:9384
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:8504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240656656.bat
1⤵
PID:8272
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8488
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DFD240611906.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240612406.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240612578.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240629718.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240632265.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240632406.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240632531.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240632640.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240632796.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240633062.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240633250.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240633406.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240642171.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240642265.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240642343.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240642421.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240642875.bat

Filesize
386B

MD5
14db29b64858c5f27113c52b09d6222b

SHA1
b1f0835dce2426c39a3f7ee9ac157d0a3d4b09ee

SHA256
0b0b82336081caa37e14e6545377e7af247e0b777cfdded9dcc44021ebadfcb4

SHA512
cb2a5709de1924610e7469247bade92c28e766108855dcdb358ad513c99f59002872a5b07c596ad9ddea826b915f1c47a11dfa5bd8c0f155250ecfd70b1aebc7

Download Submit
C:\DFD240648312.bat

Filesize
170B

MD5
add97571383e2334d906c33654d13cc9

SHA1
e473847883b583abeac65ff4d7b964b0902005d4

SHA256
a220d43d6d83dc39b4516e1d282a52f4a9301ba403269ed09b3b26c173bf482a

SHA512
bd1f8e19397f65403fbcb2a96edc2fa33266f9ecef9e0e7faa244046df50b61101cabcb519900130408c0e9ce023d434fa9e3a7f51e80e76d42a2335b618d4a0

Download Submit
C:\DFD240648375.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240648546.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240648953.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\Windows\SysWOW64\wlgini.dll

Filesize
73B

MD5
35c58403eb7790acf0d958199befea9a

SHA1
fec822a066a8f27fa953bed420a49ab53d505420

SHA256
634858930744fe81afb2438dd19916c5f3b950b89bf9ebad42a4aa0ef4991fbe

SHA512
052004e97d9b8926fc19ebf266c83e1eec290dd6554c2ac13c6b8bc78a9375e72672a955715959eef9521279a60afa8075e0b774ee1bbd0ac1634f53254762c8

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhins.exe

Filesize
100KB

MD5
1d73d5a0d28be3ed5b18a3053000710e

SHA1
edda1e2d2e4870232ff882559ec46fb3455c272e

SHA256
8e23691d42f4d7a9f4bf6001f1cbc5149433a43ebf780d2a1e38b7d92a4a394f

SHA512
b19a1150f1c627cd58bdc59e461f1e56ae53f7c9958dd5d1397a55b25fe714628af9913701e92ba324273c8ea615a08a6d99df9c8111756eae100761a0bcc397

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
C:\Windows\SysWOW64\wlhpri.dll

Filesize
20KB

MD5
7e717fa6e56ad47830b116e078d1fd4e

SHA1
ff51d575332b9caadaad8cb32e0a0c61c3268d91

SHA256
21db398ffe438a3468473e783ca490fbd9247209197f423ad1c1653ac83529bc

SHA512
dc22f1b55939b7337b37806f95901c4c91a1353576029f1c810eb9852a2d654a24d863fd8395fcb30784fcc20122477e7ad25bf203213f9124e8e4f5afc495b0

Download Submit
memory/920-143-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1468-144-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2832-159-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download