7f3f07afece25733b21324cc230e23c51b010b1b58dd2a51f78e19146e5d29ff

Analysis

max time kernel
47s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

064072765f6081e8eff5978ea8984d22.exe
Size

13KB
MD5

064072765f6081e8eff5978ea8984d22
SHA1

716a4a97354b173affee7646af6ee73ad1be8355
SHA256

7f3f07afece25733b21324cc230e23c51b010b1b58dd2a51f78e19146e5d29ff
SHA512

58c51cba2fa2153b873a4126a1284df236614d40127a04daf15e1c5cd01a0aebc5b5979b393763ceaf35e4b136771a747315286ccf7ff691ffae7a50bce368f1
SSDEEP

192:IhgtGc7RkYVPcrRuP703c3l4zRgV80N2mWr4dh1CxRV1PDdp56FL7WHTgxpxVr4s:IOpR703el4qZWMhwxRV5l6FPWA+u

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
6680	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
2092	kaqhfaz.exe
2828	kaqhfaz.exe
2604	kaqhfaz.exe
1196	kaqhfaz.exe
1904	kaqhfaz.exe
1672	kaqhfaz.exe
2100	kaqhfaz.exe
832	kaqhfaz.exe
964	kaqhfaz.exe
1632	kaqhfaz.exe
2840	kaqhfaz.exe
2788	kaqhfaz.exe
2804	kaqhfaz.exe
2892	kaqhfaz.exe
2776	kaqhfaz.exe
756	kaqhfaz.exe
1068	kaqhfaz.exe
1816	kaqhfaz.exe
2528	kaqhfaz.exe
2796	kaqhfaz.exe
2560	kaqhfaz.exe
1956	kaqhfaz.exe
924	kaqhfaz.exe
1468	kaqhfaz.exe
2700	kaqhfaz.exe
1612	kaqhfaz.exe
2200	kaqhfaz.exe
1608	kaqhfaz.exe
1692	kaqhfaz.exe
896	kaqhfaz.exe
1712	kaqhfaz.exe
1960	kaqhfaz.exe
476	kaqhfaz.exe
2440	kaqhfaz.exe
2888	kaqhfaz.exe
1464	kaqhfaz.exe
2464	kaqhfaz.exe
1748	kaqhfaz.exe
2740	kaqhfaz.exe
1980	kaqhfaz.exe
2476	kaqhfaz.exe
2964	kaqhfaz.exe
1168	kaqhfaz.exe
3084	Process not Found
3192	kaqhfaz.exe
3304	kaqhfaz.exe
3428	Process not Found
3532	Process not Found
3628	Process not Found
3772	kaqhfaz.exe
4068	Process not Found
3180	Process not Found
1156	Process not Found
1152	Process not Found
3496	kaqhfaz.exe
3600	kaqhfaz.exe
3756	kaqhfaz.exe
3112	Process not Found
2660	Process not Found
3348	Process not Found
3512	Process not Found
3616	kaqhfaz.exe
3012	kaqhfaz.exe
3224	kaqhfaz.exe

Loads dropped DLL 64 IoCs

pid	Process
2032	064072765f6081e8eff5978ea8984d22.exe
2032	064072765f6081e8eff5978ea8984d22.exe
2092	kaqhfaz.exe
2092	kaqhfaz.exe
2828	kaqhfaz.exe
2828	kaqhfaz.exe
2604	kaqhfaz.exe
2604	kaqhfaz.exe
1196	kaqhfaz.exe
1196	kaqhfaz.exe
1904	kaqhfaz.exe
1904	kaqhfaz.exe
1672	kaqhfaz.exe
1672	kaqhfaz.exe
2100	kaqhfaz.exe
2100	kaqhfaz.exe
832	kaqhfaz.exe
832	kaqhfaz.exe
964	kaqhfaz.exe
964	kaqhfaz.exe
1632	kaqhfaz.exe
1632	kaqhfaz.exe
2840	kaqhfaz.exe
2840	kaqhfaz.exe
2788	kaqhfaz.exe
2788	kaqhfaz.exe
2804	kaqhfaz.exe
2804	kaqhfaz.exe
2892	kaqhfaz.exe
2892	kaqhfaz.exe
2776	kaqhfaz.exe
2776	kaqhfaz.exe
756	kaqhfaz.exe
756	kaqhfaz.exe
1068	kaqhfaz.exe
1068	kaqhfaz.exe
1816	kaqhfaz.exe
1816	kaqhfaz.exe
2528	kaqhfaz.exe
2528	kaqhfaz.exe
2796	kaqhfaz.exe
2796	kaqhfaz.exe
2560	kaqhfaz.exe
2560	kaqhfaz.exe
1956	kaqhfaz.exe
1956	kaqhfaz.exe
924	kaqhfaz.exe
924	kaqhfaz.exe
1468	kaqhfaz.exe
1468	kaqhfaz.exe
2700	kaqhfaz.exe
2700	kaqhfaz.exe
1612	kaqhfaz.exe
1612	kaqhfaz.exe
2200	kaqhfaz.exe
2200	kaqhfaz.exe
1608	kaqhfaz.exe
1608	kaqhfaz.exe
1692	kaqhfaz.exe
1692	kaqhfaz.exe
896	kaqhfaz.exe
896	kaqhfaz.exe
1712	kaqhfaz.exe
1712	kaqhfaz.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kaqhfzy.dll	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfcs.dll	kaqhfaz.exe
File created	C:\Windows\SysWOW64\kaqhfzy.dll	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfcs.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	conhost.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfcs.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	conhost.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfcs.dll	kaqhfaz.exe
File created	C:\Windows\SysWOW64\kaqhfzy.dll	kaqhfaz.exe
File created	C:\Windows\SysWOW64\kaqhfzy.dll	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfaz.exe	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfcs.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	kaqhfaz.exe
File created	C:\Windows\SysWOW64\kaqhfzy.dll	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfcs.dll	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	conhost.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File created	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfaz.exe	kaqhfaz.exe
File created	C:\Windows\SysWOW64\kaqhfzy.dll	kaqhfaz.exe
File created	C:\Windows\SysWOW64\kaqhfzy.dll	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfcs.dll	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\kaqhfzy.dll	kaqhfaz.exe
File created	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	conhost.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	cmd.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	064072765f6081e8eff5978ea8984d22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	064072765f6081e8eff5978ea8984d22.exe
2092	kaqhfaz.exe
2828	kaqhfaz.exe
2604	kaqhfaz.exe
1196	kaqhfaz.exe
1904	kaqhfaz.exe
1672	kaqhfaz.exe
2100	kaqhfaz.exe
832	kaqhfaz.exe
964	kaqhfaz.exe
1632	kaqhfaz.exe
2840	kaqhfaz.exe
2788	kaqhfaz.exe
2804	kaqhfaz.exe
2892	kaqhfaz.exe
2776	kaqhfaz.exe
756	kaqhfaz.exe
1068	kaqhfaz.exe
1816	kaqhfaz.exe
2528	kaqhfaz.exe
2796	kaqhfaz.exe
2560	kaqhfaz.exe
1956	kaqhfaz.exe
1956	kaqhfaz.exe
924	kaqhfaz.exe
1468	kaqhfaz.exe
1468	kaqhfaz.exe
2700	kaqhfaz.exe
2700	kaqhfaz.exe
1612	kaqhfaz.exe
1612	kaqhfaz.exe
2200	kaqhfaz.exe
2200	kaqhfaz.exe
1608	kaqhfaz.exe
1608	kaqhfaz.exe
1608	kaqhfaz.exe
1692	kaqhfaz.exe
1692	kaqhfaz.exe
1692	kaqhfaz.exe
896	kaqhfaz.exe
896	kaqhfaz.exe
896	kaqhfaz.exe
1712	kaqhfaz.exe
1712	kaqhfaz.exe
1960	kaqhfaz.exe
1960	kaqhfaz.exe
476	kaqhfaz.exe
476	kaqhfaz.exe
476	kaqhfaz.exe
476	kaqhfaz.exe
2440	kaqhfaz.exe
2440	kaqhfaz.exe
2440	kaqhfaz.exe
2440	kaqhfaz.exe
2888	kaqhfaz.exe
2888	kaqhfaz.exe
2888	kaqhfaz.exe
2888	kaqhfaz.exe
1464	kaqhfaz.exe
1464	kaqhfaz.exe
1464	kaqhfaz.exe
1464	kaqhfaz.exe
2464	kaqhfaz.exe
2464	kaqhfaz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1716	2032	064072765f6081e8eff5978ea8984d22.exe	28
PID 2032 wrote to memory of 1716	2032	064072765f6081e8eff5978ea8984d22.exe	28
PID 2032 wrote to memory of 1716	2032	064072765f6081e8eff5978ea8984d22.exe	28
PID 2032 wrote to memory of 1716	2032	064072765f6081e8eff5978ea8984d22.exe	28
PID 2032 wrote to memory of 2092	2032	064072765f6081e8eff5978ea8984d22.exe	30
PID 2032 wrote to memory of 2092	2032	064072765f6081e8eff5978ea8984d22.exe	30
PID 2032 wrote to memory of 2092	2032	064072765f6081e8eff5978ea8984d22.exe	30
PID 2032 wrote to memory of 2092	2032	064072765f6081e8eff5978ea8984d22.exe	30
PID 1716 wrote to memory of 2752	1716	cmd.exe	31
PID 1716 wrote to memory of 2752	1716	cmd.exe	31
PID 1716 wrote to memory of 2752	1716	cmd.exe	31
PID 1716 wrote to memory of 2752	1716	cmd.exe	31
PID 2092 wrote to memory of 2712	2092	kaqhfaz.exe	32
PID 2092 wrote to memory of 2712	2092	kaqhfaz.exe	32
PID 2092 wrote to memory of 2712	2092	kaqhfaz.exe	32
PID 2092 wrote to memory of 2712	2092	kaqhfaz.exe	32
PID 2092 wrote to memory of 2828	2092	kaqhfaz.exe	42
PID 2092 wrote to memory of 2828	2092	kaqhfaz.exe	42
PID 2092 wrote to memory of 2828	2092	kaqhfaz.exe	42
PID 2092 wrote to memory of 2828	2092	kaqhfaz.exe	42
PID 1716 wrote to memory of 2596	1716	cmd.exe	34
PID 1716 wrote to memory of 2596	1716	cmd.exe	34
PID 1716 wrote to memory of 2596	1716	cmd.exe	34
PID 1716 wrote to memory of 2596	1716	cmd.exe	34
PID 2712 wrote to memory of 2728	2712	cmd.exe	41
PID 2712 wrote to memory of 2728	2712	cmd.exe	41
PID 2712 wrote to memory of 2728	2712	cmd.exe	41
PID 2712 wrote to memory of 2728	2712	cmd.exe	41
PID 2828 wrote to memory of 2572	2828	kaqhfaz.exe	35
PID 2828 wrote to memory of 2572	2828	kaqhfaz.exe	35
PID 2828 wrote to memory of 2572	2828	kaqhfaz.exe	35
PID 2828 wrote to memory of 2572	2828	kaqhfaz.exe	35
PID 1716 wrote to memory of 2580	1716	cmd.exe	40
PID 1716 wrote to memory of 2580	1716	cmd.exe	40
PID 1716 wrote to memory of 2580	1716	cmd.exe	40
PID 1716 wrote to memory of 2580	1716	cmd.exe	40
PID 2828 wrote to memory of 2604	2828	kaqhfaz.exe	39
PID 2828 wrote to memory of 2604	2828	kaqhfaz.exe	39
PID 2828 wrote to memory of 2604	2828	kaqhfaz.exe	39
PID 2828 wrote to memory of 2604	2828	kaqhfaz.exe	39
PID 1716 wrote to memory of 2472	1716	cmd.exe	132
PID 1716 wrote to memory of 2472	1716	cmd.exe	132
PID 1716 wrote to memory of 2472	1716	cmd.exe	132
PID 1716 wrote to memory of 2472	1716	cmd.exe	132
PID 2712 wrote to memory of 2540	2712	cmd.exe	127
PID 2712 wrote to memory of 2540	2712	cmd.exe	127
PID 2712 wrote to memory of 2540	2712	cmd.exe	127
PID 2712 wrote to memory of 2540	2712	cmd.exe	127
PID 2572 wrote to memory of 1808	2572	cmd.exe	131
PID 2572 wrote to memory of 1808	2572	cmd.exe	131
PID 2572 wrote to memory of 1808	2572	cmd.exe	131
PID 2572 wrote to memory of 1808	2572	cmd.exe	131
PID 2712 wrote to memory of 1016	2712	cmd.exe	48
PID 2712 wrote to memory of 1016	2712	cmd.exe	48
PID 2712 wrote to memory of 1016	2712	cmd.exe	48
PID 2712 wrote to memory of 1016	2712	cmd.exe	48
PID 1716 wrote to memory of 1044	1716	cmd.exe	47
PID 1716 wrote to memory of 1044	1716	cmd.exe	47
PID 1716 wrote to memory of 1044	1716	cmd.exe	47
PID 1716 wrote to memory of 1044	1716	cmd.exe	47
PID 2604 wrote to memory of 576	2604	kaqhfaz.exe	46
PID 2604 wrote to memory of 576	2604	kaqhfaz.exe	46
PID 2604 wrote to memory of 576	2604	kaqhfaz.exe	46
PID 2604 wrote to memory of 576	2604	kaqhfaz.exe	46

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1552	attrib.exe
4076	attrib.exe
4236	attrib.exe
8700	Process not Found
4404	Process not Found
1468	attrib.exe
4668	attrib.exe
6996	Process not Found
4368	Process not Found
6624	Process not Found
5128	Process not Found
3856	attrib.exe
5272	Process not Found
8648	Process not Found
9024	Process not Found
9120	Process not Found
8296	Process not Found
7284	Process not Found
8428	Process not Found
6500	Process not Found
8988	Process not Found
3944	Process not Found
2780	attrib.exe
8848	Process not Found
6316	Process not Found
9212	Process not Found
9020	Process not Found
4140	attrib.exe
6416	attrib.exe
3444	Process not Found
6944	attrib.exe
8104	Process not Found
7084	Process not Found
6748	Process not Found
2540	attrib.exe
6572	Process not Found
7324	Process not Found
5244	Process not Found
6800	attrib.exe
7632	Process not Found
5604	Process not Found
8104	Process not Found
6816	Process not Found
1616	Process not Found
6080	Process not Found
5748	Process not Found
5760	Process not Found
3508	attrib.exe
4600	attrib.exe
3456	attrib.exe
7188	Process not Found
7160	Process not Found
7160	attrib.exe
8916	Process not Found
8816	Process not Found
4556	Process not Found
8792	Process not Found
9024	Process not Found
8972	Process not Found
4276	Process not Found
8836	Process not Found
4244	Process not Found
924	attrib.exe
2856	attrib.exe

C:\Users\Admin\AppData\Local\Temp\064072765f6081e8eff5978ea8984d22.exe
"C:\Users\Admin\AppData\Local\Temp\064072765f6081e8eff5978ea8984d22.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259426651.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:2752
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:1044
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:940
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1632
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259426948.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2540
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2856
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3980
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5652
- - C:\Windows\SysWOW64\kaqhfaz.exe
    C:\Windows\system32\kaqhfaz.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\DFD259458975.bat
      4⤵
      PID:4128
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
        5⤵
        
        PID:5552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259458881.bat
    3⤵
    PID:6280
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
      4⤵
      PID:4404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259458288.bat
  2⤵
  PID:6680
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\064072765f6081e8eff5978ea8984d22.exe" -r -a -s -h
    3⤵
    PID:6160

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259427151.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1808
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1608
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2628
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1920
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2212
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2936
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1488
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2468
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:640
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3040
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2440
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1684
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1568
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2276
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2116
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2116
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3896
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3888
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6132
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5532

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259427681.bat
    3⤵
    PID:2872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      Views/modifies file attributes
      PID:1552
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2300
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5616
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:6972
- - C:\Windows\SysWOW64\kaqhfaz.exe
    C:\Windows\system32\kaqhfaz.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\DFD259459926.bat
      4⤵
      PID:5472
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
        5⤵
        
        PID:4988
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
        5⤵
        
        PID:5252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259459942.bat
    3⤵
    PID:6128
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
      4⤵
      PID:7160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259427322.bat
  2⤵
  PID:576
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:1468
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:476
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:780
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6304
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259459458.bat
  2⤵
  PID:5852
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:6440

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2928

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1576

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:756

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:832
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259428882.bat
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2532
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5440
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:6716
- - C:\Windows\SysWOW64\kaqhfaz.exe
    C:\Windows\system32\kaqhfaz.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\DFD259429210.bat
      4⤵
      PID:1312
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1652
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:948
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4164
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5312
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5468
  - - C:\Windows\SysWOW64\kaqhfaz.exe
      C:\Windows\system32\kaqhfaz.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429335.bat
        5⤵
        
        PID:2704
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:2680
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Views/modifies file attributes
        
        PID:924
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1108
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1808
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2636
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Views/modifies file attributes
        
        PID:2780
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1744
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3652
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3100
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5968
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:6952
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5080
    - - C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429475.bat
        6⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5952
      - C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429615.bat
        7⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431129.bat
        8⤵
        
        PID:852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431316.bat
        9⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431472.bat
        10⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1068
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431753.bat
        12⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431862.bat
        13⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432002.bat
        14⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434389.bat
        15⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434841.bat
        16⤵
        
        PID:636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434966.bat
        17⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435091.bat
        18⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        Views/modifies file attributes
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435216.bat
        19⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435325.bat
        20⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2200
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435590.bat
        22⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435731.bat
        23⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435855.bat
        24⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435996.bat
        25⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437696.bat
        26⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437837.bat
        27⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        Views/modifies file attributes
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437946.bat
        28⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438102.bat
        29⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438227.bat
        30⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438351.bat
        31⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        31⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438476.bat
        32⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438601.bat
        33⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438726.bat
        34⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438866.bat
        35⤵
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        35⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438991.bat
        36⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        36⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259439131.bat
        37⤵
        
        PID:324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        37⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259439256.bat
        38⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        38⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259439381.bat
        39⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        39⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259439506.bat
        40⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        Views/modifies file attributes
        
        PID:4668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        40⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259439631.bat
        41⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        41⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259439787.bat
        42⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        42⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259439927.bat
        43⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259440052.bat
        44⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        44⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259440177.bat
        45⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        45⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259440333.bat
        46⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        46⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259440473.bat
        47⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        Views/modifies file attributes
        
        PID:3456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        47⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259440613.bat
        48⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259440723.bat
        49⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        49⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259440894.bat
        50⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259441035.bat
        51⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        51⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259441159.bat
        52⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        52⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259441284.bat
        53⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        53⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259441409.bat
        54⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        54⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259441534.bat
        55⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        55⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259441674.bat
        56⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        56⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259441830.bat
        57⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        57⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259441971.bat
        58⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        59⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        59⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        59⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        58⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259442127.bat
        59⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        59⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259442267.bat
        60⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        Views/modifies file attributes
        
        PID:6944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        60⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259442392.bat
        61⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        62⤵
        Views/modifies file attributes
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        62⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        62⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        61⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259442548.bat
        62⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        62⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259442766.bat
        63⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        63⤵
        Drops file in Windows directory
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259442891.bat
        64⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        65⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        65⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        65⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        64⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259443047.bat
        65⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        66⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        66⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        66⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        65⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259443156.bat
        66⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        66⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259443297.bat
        67⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        67⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259443421.bat
        68⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        69⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        69⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        69⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259443546.bat
        69⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        70⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        70⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        70⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        69⤵
        Drops file in Windows directory
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259443687.bat
        70⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        71⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        71⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        71⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        70⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259443811.bat
        71⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        72⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        72⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        72⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259443936.bat
        72⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        73⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        73⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        73⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        72⤵
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259444077.bat
        73⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        74⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        74⤵
        Views/modifies file attributes
        
        PID:6416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        74⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        73⤵
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259444217.bat
        74⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        75⤵
        Views/modifies file attributes
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        75⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        75⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        74⤵
        Drops file in Windows directory
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259444357.bat
        75⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        76⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        76⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        76⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        75⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259444482.bat
        76⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        77⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        77⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        77⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        76⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259444623.bat
        77⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        78⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        78⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        78⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        77⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259444779.bat
        78⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        79⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        79⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        79⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        78⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259444935.bat
        79⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        79⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259445059.bat
        80⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        81⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        81⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        81⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        81⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        80⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259445200.bat
        81⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        82⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        82⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        81⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259445340.bat
        82⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        83⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        83⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        83⤵
        Views/modifies file attributes
        
        PID:6800
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        82⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259445496.bat
        83⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        84⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        84⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        83⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259445637.bat
        84⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        85⤵
        Views/modifies file attributes
        
        PID:4236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        85⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        85⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        84⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259445839.bat
        85⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        86⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        86⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        86⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        85⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259446011.bat
        86⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        87⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        87⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        86⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259446151.bat
        87⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        88⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        88⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        87⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259446292.bat
        88⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        89⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        89⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        88⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259446448.bat
        89⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        90⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        90⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        89⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259446573.bat
        90⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        91⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        91⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        90⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259446729.bat
        91⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        92⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        92⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        92⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        91⤵
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259446885.bat
        92⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        93⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        93⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        93⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        92⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259447009.bat
        93⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        94⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        94⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        94⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        93⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259447134.bat
        94⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        95⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        95⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        94⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259447275.bat
        95⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        95⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259447415.bat
        96⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        97⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        97⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        97⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        96⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259447587.bat
        97⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        98⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        98⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        97⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259447711.bat
        98⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        99⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        99⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        99⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        99⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        98⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259447883.bat
        99⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        100⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        100⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        99⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259448023.bat
        100⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        101⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        101⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        100⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259448148.bat
        101⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        102⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        102⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        101⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259448289.bat
        102⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        103⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        103⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        103⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        102⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259448429.bat
        103⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        104⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        104⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        103⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259448616.bat
        104⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        105⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        105⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        104⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259448788.bat
        105⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        106⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        106⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        106⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        105⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259448928.bat
        106⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        107⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        107⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        106⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259449084.bat
        107⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        108⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        108⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        107⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259449240.bat
        108⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        109⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        109⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        108⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259449381.bat
        109⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        110⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        110⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        109⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259449521.bat
        110⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        111⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        111⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        111⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        110⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259449646.bat
        111⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        112⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        112⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        111⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259449771.bat
        112⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        113⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        113⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        113⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        112⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259449911.bat
        113⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        114⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        114⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        113⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259450083.bat
        114⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        115⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        115⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        114⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259450208.bat
        115⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        116⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        116⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        115⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259450364.bat
        116⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        117⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        117⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        116⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259450535.bat
        117⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        118⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        118⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        118⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        117⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259450676.bat
        118⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        119⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        119⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        118⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        119⤵
        Drops file in Windows directory
        
        PID:5212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259451050.bat
        120⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        121⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        121⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        120⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259451393.bat
        122⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        123⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        123⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        122⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259451518.bat
        123⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        124⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        124⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        123⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259451658.bat
        124⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        125⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        125⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        124⤵
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259451799.bat
        125⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        126⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        126⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        125⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259451939.bat
        126⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        127⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        127⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        126⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259452111.bat
        127⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        128⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        128⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        127⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259452267.bat
        128⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        129⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        129⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        129⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        128⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259452392.bat
        129⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        130⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        130⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        129⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259452516.bat
        130⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        131⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        131⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        130⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259452641.bat
        131⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        132⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        132⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        131⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259452782.bat
        132⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        133⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        132⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259461190.bat
        133⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        134⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\kaqhfaz.exe
        
        C:\Windows\system32\kaqhfaz.exe
        133⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259451237.bat
        121⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        122⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        122⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259450894.bat
        119⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        120⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        120⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259466915.bat
        22⤵
        Drops file in Windows directory
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435450.bat
        21⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259466650.bat
        14⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259465215.bat
        13⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259465043.bat
        12⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431628.bat
        11⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259464903.bat
        11⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259464762.bat
        10⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
        11⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259464606.bat
        9⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259464185.bat
        7⤵
        Drops file in System32 directory
        
        PID:6944
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259461767.bat
        6⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
        7⤵
        
        PID:6888
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259461892.bat
        5⤵
        
        PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259461143.bat
    3⤵
    PID:3992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
      4⤵
      PID:6712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259428648.bat
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:860
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259461174.bat
  2⤵
  PID:6184
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:5540

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259428336.bat
1⤵
PID:2256
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2908
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:572
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2856
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:944
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1168
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1016
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:476
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2384
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2664
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3828
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:4140
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6120
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2500

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2068

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259460675.bat
  2⤵
  PID:5324
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:6972

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259428102.bat
1⤵
PID:2352
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1152
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2128
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2272
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1808
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1964
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2972
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2456
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2632
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1112
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3796
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3880
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4632
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6444
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3324

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259460285.bat
  2⤵
  PID:3816
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:6956

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259427884.bat
1⤵
PID:2880
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:324
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2560
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2500
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2264
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1184
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1888
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2996
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1996
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3676
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3156
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5744
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6792
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-92002034-1870779899-624157625-1747736750-214411029-352630586-3757695951514002990"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1424405453-900800180-267854650-15748468505938658401771517277-608531226-1081631544"
1⤵
PID:640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1179961126-1273700004-730016883-131864822413505773906705458441441572673268188433"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10107400345312157041360420020-493466490-9748551171258189346-12096462811277421140"
1⤵
PID:3032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "91992418217634492292129233372154975182-7805175831186621414-68630791619880604"
1⤵
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "655054425-10581930151098382088-47706851-8266048981075782268272085959244775812"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "326672307780259121186459877-1602659721280045850484568570-12530549991295408226"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "157136768198129603112886064252505839321119902057-894233503-1547323037-599857168"
1⤵
- Drops file in System32 directory
PID:2632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1614089561-99881040-8624274655951884-1440869313-2040151890117179057-32181619"
1⤵
PID:2944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1082172156-1146895557-34213898-1842448714738853590918538324-838942056639764681"
1⤵
PID:2648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "878266537-2085079335-1957096185-18366392191860597168-155350086-638551021440531187"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1538482148-6581479371749285588-1527646566-11854570271801072073-1883789073-78646620"
1⤵
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-401435010793602040-2528467635892467961136697714-211934044920885908471554987832"
1⤵
PID:2308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-494824736-103181635917127971-1106428460-1311160342558213234-2128380867-1297759281"
1⤵
PID:388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "787660174-7898996018242090612067496485516044502-9115558396711874811197088422"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1677333228279399428-2056954765750758148-105335362768465269115223957492110651380"
1⤵
PID:3676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1528492880862798444-10956402041931918599-1724322978993509943-3557670921751388718"
1⤵
PID:3796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-853897783-21367012432004056436-2131051327362956836880886084287934652253116006"
1⤵
PID:4020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8120624096327144241555189597-1948426902809602688-31108052513819701091017236293"
1⤵
PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2119373804557472675362621836-807935562815307651135778751-832954436-758078210"
1⤵
PID:3296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1647241562-345656513-75022241521136246741264485455-6515313541148802251061814366"
1⤵
PID:2116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1952028220-329645999-16492385891935190156-1107633411-311364099-1835813063659441129"
1⤵
PID:780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21209257401535336427659337963-841439323-1519319127462510076887647888539360824"
1⤵
PID:3644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "317298714-1980600373107805628418014675348927002201546580714779320401-130902757"
1⤵
PID:3812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1132363925-1435195032024945146-767197492113061843874353670294332193-631457641"
1⤵
PID:3828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15848485701013950007-130191034-1682832744-379668364-95623375619980717581278766995"
1⤵
- Drops file in System32 directory
PID:4164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "189733947820898217702037680034-289578807-1471465504-1415460332-3271030991114581056"
1⤵
PID:3876

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:3880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1403001895-1108217589-1734099933470596168-21380741081280671423-752655720888835732"
1⤵
PID:4620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5081399081539041640-195529329615580028549730217519928811795861739501595391403"
1⤵
- Drops file in System32 directory
PID:4600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1835474645-541675450-85307129476519308513961551151452224970-10890330801620105778"
1⤵
PID:5968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "471816572-585736550-559057543983341259-860410404-1634809560-1036704408-239893357"
1⤵
PID:3872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1471147291-869602987-175278839-9687426911295356895-17833458451021304269340967038"
1⤵
PID:4424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "406106971-43885966642842222214021968441856579688-1889582412-380180085901143736"
1⤵
PID:7000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-343568341298279714267071576-117085476382590783-1780389871-880984518564793442"
1⤵
PID:7088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "971491646-43039061533037295-1057758969-1087317771-1816044151-394202021-1665291812"
1⤵
PID:5352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-888278258148420111816427853391762243978-205677289119654080041322450230-1455954135"
1⤵
- Drops file in System32 directory
PID:4372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "108381916578088685-2066398696-1188845689-778989912-85380466811994789231742533340"
1⤵
PID:6576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-55274276420894984661672719487-20178117032604338795362696074343493272098282919"
1⤵
PID:4900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-84606103-483937263-3693757371755709273-1817248628783694098-1872278346-1869190526"
1⤵
PID:6560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1033695970-476184225-18032230401578790042-105333631-18152085976565903171452494216"
1⤵
PID:6716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-481451202862336331309183541-797884905233825780-165803228-2026194881-1112433598"
1⤵
PID:5536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4858973441864427585-1329743808-639860416-356757656244422239-4969433891314697955"
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DFD259426651.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD259458288.bat

Filesize
290B

MD5
e276d0fc822344545ad5ecc26566a0c1

SHA1
2587104c8abc67de504c9e9ee6b5cb8221fa4151

SHA256
f34f7da8feda7aefc3250254f4ea764db76edfbacc687f2097555bf373a9e083

SHA512
3ac6dde3e610ed6dce658e66b37dfd3045a8144e9c8ba61006ab2d8021cf3260afc7f4bb1c6af4a3d93ce6900508b737be40b6805642d50fcce22b16c6fd454f

Download Submit
C:\DFD259458881.bat

Filesize
173B

MD5
ffca287cc31a26e49b272dacf4ef9b69

SHA1
bd43ab9d9b2e2dfadd252683a17d3c5905be374c

SHA256
01c382f08b04a7784bc8507470191d2924aaa9fd26c651af6747ff1522b27077

SHA512
eda08b03c89fce7596642fb5f1a24e14b5ce35b54a85f94eeb70cf8733b5196a75d3ba1aae5e773ff8635eb644a398227bb8af582d05b16a39f4ea293a9ebebc

Download Submit
C:\DFD259511703.bat

Filesize
346B

MD5
bd2ba288701841ec8c1c47a69f7e7b5e

SHA1
56f9b0663beebae9e2cd09774b9554a864cfad08

SHA256
feb96adf1e1264069b0326be3bd7c61cd6a72fe0052e893b4c81ef91ac976857

SHA512
a82e3614f7ffeb137ad2b5e7781eff5f173676ec3a79350e216339a82b8949722cf95bd3a9c68a8a652e4a3bd0da7c12365b85b6f7d8f1b4c164cb96ef58df25

Download Submit
C:\Windows\Fonts\enhuafx.fon

Filesize
101B

MD5
dc4e6d382fdc3482ae2b359e01076d36

SHA1
66e688c2efd8e3dd41d08c7f9d6a0e425c5a8f3d

SHA256
171e79c3b731e0f997f68ed6e842e0e3adc97e87bafc88acb1638d231767721c

SHA512
3cbc7e68ddc20bf75f5990efd7119379603343c052e54e32e5c01d12c5eddf1ffdc758769cb88f77eb45249764022c1b1399173d437153cf9effe3c03a37be9a

Download Submit
C:\Windows\SysWOW64\kaqhfcs.dll

Filesize
57B

MD5
d8e2be26b9766c0bb17217810dad166c

SHA1
53b15a586ab4349ebb26cd52896051d146e200df

SHA256
f0c5d11fb10f8a95778d87f70dc29a9f5c6903fb1ef15181ec05d2607f0eb879

SHA512
ff264da23d82204bd350a13575a2f7e8c5210b941d4ba4794831887e531ded58bff698dda24c083efb1cf6a42bd6c966c181d6c6f824150e9db78416e8fea450

Download Submit
C:\Windows\SysWOW64\kaqhfzy.dll

Filesize
19KB

MD5
77cbc7015923de62815af9e5d9fed4be

SHA1
e5bc519e6e95fb456faea127519e304021eab212

SHA256
72ad2eb67ed750a6c1b5505471173014708a29d6e17d95efbe57f1a2b8c9c6bb

SHA512
cdede606627098b5f83a5251d41f5d006bd278252566f5d5eaf8abc644dbc24cc2aa73a95bbb9c9ee92f7738ea79ed384051a4c59823aa4b93999740f212fcf2

Download Submit
\Windows\SysWOW64\kaqhfaz.exe

Filesize
13KB

MD5
064072765f6081e8eff5978ea8984d22

SHA1
716a4a97354b173affee7646af6ee73ad1be8355

SHA256
7f3f07afece25733b21324cc230e23c51b010b1b58dd2a51f78e19146e5d29ff

SHA512
58c51cba2fa2153b873a4126a1284df236614d40127a04daf15e1c5cd01a0aebc5b5979b393763ceaf35e4b136771a747315286ccf7ff691ffae7a50bce368f1

Download Submit
memory/2032-27-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2032-2263-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2032-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2092-43-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2092-44-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2092-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2828-46-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download