7f3f07afece25733b21324cc230e23c51b010b1b58dd2a51f78e19146e5d29ff

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

064072765f6081e8eff5978ea8984d22.exe
Size

13KB
MD5

064072765f6081e8eff5978ea8984d22
SHA1

716a4a97354b173affee7646af6ee73ad1be8355
SHA256

7f3f07afece25733b21324cc230e23c51b010b1b58dd2a51f78e19146e5d29ff
SHA512

58c51cba2fa2153b873a4126a1284df236614d40127a04daf15e1c5cd01a0aebc5b5979b393763ceaf35e4b136771a747315286ccf7ff691ffae7a50bce368f1
SSDEEP

192:IhgtGc7RkYVPcrRuP703c3l4zRgV80N2mWr4dh1CxRV1PDdp56FL7WHTgxpxVr4s:IOpR703el4qZWMhwxRV5l6FPWA+u

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
4296	Process not Found
312	Process not Found
3868	Process not Found
4224	Process not Found
2192	Process not Found
3068	kaqhfaz.exe
3956	Process not Found
3296	Process not Found
2552	Process not Found
3892	Process not Found
4320	Process not Found
1704	Process not Found
2920	Process not Found
2520	Process not Found
2012	Process not Found
4676	Process not Found
4964	Process not Found
4584	Process not Found
3720	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File created	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File created	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File created	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfcs.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\kaqhfaz.exe	064072765f6081e8eff5978ea8984d22.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfcs.dll	064072765f6081e8eff5978ea8984d22.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File created	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File created	C:\Windows\SysWOW64\kaqhfzy.dll	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfcs.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File created	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	064072765f6081e8eff5978ea8984d22.exe
File opened for modification	C:\Windows\SysWOW64\kaqhfcs.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfcs.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File created	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\kaqhfaz.exe	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	cmd.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	064072765f6081e8eff5978ea8984d22.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\Fonts\enhuafx.fon	064072765f6081e8eff5978ea8984d22.exe
File opened for modification	C:\Windows\SysWOW64	kaqhfaz.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found

Program crash 3 IoCs

pid	pid_target	Process
228	15640	WerFault.exe
6900	15456	WerFault.exe
15980	15600	WerFault.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	064072765f6081e8eff5978ea8984d22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	064072765f6081e8eff5978ea8984d22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}	064072765f6081e8eff5978ea8984d22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	kaqhfaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	064072765f6081e8eff5978ea8984d22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	064072765f6081e8eff5978ea8984d22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	kaqhfaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	064072765f6081e8eff5978ea8984d22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\ = "C:\\Windows\\SysWow64\\kaqhfzy.dll"	Process not Found

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3304	064072765f6081e8eff5978ea8984d22.exe
3304	064072765f6081e8eff5978ea8984d22.exe
4296	Process not Found
4296	Process not Found
312	Process not Found
312	Process not Found
3868	Process not Found
3868	Process not Found
4224	Process not Found
4224	Process not Found
2192	Process not Found
2192	Process not Found
3068	kaqhfaz.exe
3068	kaqhfaz.exe
3956	Process not Found
3956	Process not Found
3296	Process not Found
3296	Process not Found
2552	Process not Found
2552	Process not Found
3892	Process not Found
3892	Process not Found
4320	Process not Found
4320	Process not Found
1704	Process not Found
1704	Process not Found
2920	Process not Found
2920	Process not Found
2520	Process not Found
2520	Process not Found
2012	Process not Found
2012	Process not Found
4676	Process not Found
4676	Process not Found
4964	Process not Found
4964	Process not Found
4584	Process not Found
4584	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 1224	3304	064072765f6081e8eff5978ea8984d22.exe	28
PID 3304 wrote to memory of 1224	3304	064072765f6081e8eff5978ea8984d22.exe	28
PID 3304 wrote to memory of 1224	3304	064072765f6081e8eff5978ea8984d22.exe	28
PID 3304 wrote to memory of 4296	3304	064072765f6081e8eff5978ea8984d22.exe	3637
PID 3304 wrote to memory of 4296	3304	064072765f6081e8eff5978ea8984d22.exe	3637
PID 3304 wrote to memory of 4296	3304	064072765f6081e8eff5978ea8984d22.exe	3637
PID 1224 wrote to memory of 4060	1224	cmd.exe	3578
PID 1224 wrote to memory of 4060	1224	cmd.exe	3578
PID 1224 wrote to memory of 4060	1224	cmd.exe	3578
PID 4296 wrote to memory of 4736	4296	Process not Found	31
PID 4296 wrote to memory of 4736	4296	Process not Found	31
PID 4296 wrote to memory of 4736	4296	Process not Found	31
PID 1224 wrote to memory of 1484	1224	cmd.exe	3636
PID 1224 wrote to memory of 1484	1224	cmd.exe	3636
PID 1224 wrote to memory of 1484	1224	cmd.exe	3636
PID 4296 wrote to memory of 312	4296	Process not Found	3634
PID 4296 wrote to memory of 312	4296	Process not Found	3634
PID 4296 wrote to memory of 312	4296	Process not Found	3634
PID 1224 wrote to memory of 2012	1224	cmd.exe	3633
PID 1224 wrote to memory of 2012	1224	cmd.exe	3633
PID 1224 wrote to memory of 2012	1224	cmd.exe	3633
PID 1224 wrote to memory of 1724	1224	cmd.exe	3632
PID 1224 wrote to memory of 1724	1224	cmd.exe	3632
PID 1224 wrote to memory of 1724	1224	cmd.exe	3632
PID 4736 wrote to memory of 4944	4736	cmd.exe	3631
PID 4736 wrote to memory of 4944	4736	cmd.exe	3631
PID 4736 wrote to memory of 4944	4736	cmd.exe	3631
PID 1224 wrote to memory of 8	1224	cmd.exe	3630
PID 1224 wrote to memory of 8	1224	cmd.exe	3630
PID 1224 wrote to memory of 8	1224	cmd.exe	3630
PID 4736 wrote to memory of 4036	4736	cmd.exe	3629
PID 4736 wrote to memory of 4036	4736	cmd.exe	3629
PID 4736 wrote to memory of 4036	4736	cmd.exe	3629
PID 4736 wrote to memory of 3704	4736	cmd.exe	3628
PID 4736 wrote to memory of 3704	4736	cmd.exe	3628
PID 4736 wrote to memory of 3704	4736	cmd.exe	3628
PID 1224 wrote to memory of 3240	1224	cmd.exe	3626
PID 1224 wrote to memory of 3240	1224	cmd.exe	3626
PID 1224 wrote to memory of 3240	1224	cmd.exe	3626
PID 312 wrote to memory of 1268	312	Process not Found	3627
PID 312 wrote to memory of 1268	312	Process not Found	3627
PID 312 wrote to memory of 1268	312	Process not Found	3627
PID 4736 wrote to memory of 5112	4736	cmd.exe	3624
PID 4736 wrote to memory of 5112	4736	cmd.exe	3624
PID 4736 wrote to memory of 5112	4736	cmd.exe	3624
PID 1224 wrote to memory of 3948	1224	cmd.exe	3623
PID 1224 wrote to memory of 3948	1224	cmd.exe	3623
PID 1224 wrote to memory of 3948	1224	cmd.exe	3623
PID 312 wrote to memory of 3868	312	Process not Found	3622
PID 312 wrote to memory of 3868	312	Process not Found	3622
PID 312 wrote to memory of 3868	312	Process not Found	3622
PID 4736 wrote to memory of 920	4736	cmd.exe	3621
PID 4736 wrote to memory of 920	4736	cmd.exe	3621
PID 4736 wrote to memory of 920	4736	cmd.exe	3621
PID 1224 wrote to memory of 3492	1224	cmd.exe	3620
PID 1224 wrote to memory of 3492	1224	cmd.exe	3620
PID 1224 wrote to memory of 3492	1224	cmd.exe	3620
PID 1268 wrote to memory of 2568	1268	Process not Found	3619
PID 1268 wrote to memory of 2568	1268	Process not Found	3619
PID 1268 wrote to memory of 2568	1268	Process not Found	3619
PID 4736 wrote to memory of 2552	4736	cmd.exe	3618
PID 4736 wrote to memory of 2552	4736	cmd.exe	3618
PID 4736 wrote to memory of 2552	4736	cmd.exe	3618
PID 3868 wrote to memory of 2380	3868	Process not Found	32

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4772	Process not Found
4560	Process not Found
11488	Process not Found
11544	attrib.exe
2024	Process not Found
17188	Process not Found
13360	Process not Found
14164	Process not Found
7756	Process not Found
4660	Process not Found
16496	Process not Found
5784	Process not Found
10364	Process not Found
12052	Process not Found
8292	Process not Found
16196	Process not Found
10612	Process not Found
10684	Process not Found
14132	Process not Found
13388	Process not Found
12532	Process not Found
10232	Process not Found
7620	Process not Found
4064	Process not Found
15984	attrib.exe
7424	Process not Found
11432	Process not Found
9512	Process not Found
1768	Process not Found
7060	Process not Found
9876	Process not Found
9752	Process not Found
16620	attrib.exe
10808	Process not Found
8768	Process not Found
11512	Process not Found
6464	Process not Found
7640	Process not Found
7204	Process not Found
7452	Process not Found
14744	Process not Found
9424	Process not Found
12428	Process not Found
12300	Process not Found
9756	Process not Found
13724	Process not Found
6184	Process not Found
14828	Process not Found
14612	Process not Found
9304	Process not Found
9888	Process not Found
14412	Process not Found
4060	Process not Found
12292	attrib.exe
12740	attrib.exe
9324	attrib.exe
8208	Process not Found
3284	Process not Found
844	Process not Found
12296	Process not Found
14948	Process not Found
11752	Process not Found
16376	Process not Found
9360	Process not Found

C:\Users\Admin\AppData\Local\Temp\064072765f6081e8eff5978ea8984d22.exe
"C:\Users\Admin\AppData\Local\Temp\064072765f6081e8eff5978ea8984d22.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240621656.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:3008
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6400
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240621812.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1832
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6120
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:10272
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:15148
  - - C:\Windows\SysWOW64\kaqhfaz.exe
      C:\Windows\system32\kaqhfaz.exe
      4⤵
      PID:15752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\DFD240657296.bat
      4⤵
      PID:15592
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:15632
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10264
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:11584
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:13276
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:13248
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8496
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:14724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240622109.bat
1⤵
PID:2380
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3684
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6056
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5988
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5284
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7440
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10312
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240665140.bat
    3⤵
    PID:11900
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7256
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15524

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:2192
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240653109.bat
  2⤵
  PID:14600
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:16004

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:464

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:788

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240622656.bat
1⤵
PID:1452
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:780
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4452
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6064
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6108
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:13432
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7336
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9848

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3744

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1740

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:1704

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3548

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3544

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:940

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240623687.bat
1⤵
PID:4300
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5628

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3284

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:4688

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3088

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2620

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:916

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:3940
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  PID:4688
- - C:\Windows\SysWOW64\kaqhfaz.exe
    C:\Windows\system32\kaqhfaz.exe
    3⤵
    PID:5144

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3284

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:4644

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1132

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3240

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:780

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:376

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:4068

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1600

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5616

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5760

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:5752

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5772

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5848

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3232

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5440

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:5616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240626312.bat
  2⤵
  PID:5772
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:7716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:12384
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
        5⤵
        
        PID:9192
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:14064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:15532
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:8896
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:12652
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:13652

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5748

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5788

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6024

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6040
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5444
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6756
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6544
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10752
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8388
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8984

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5660

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:5628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240657625.bat
  2⤵
  PID:16228

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1956

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:4556

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5904

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5964

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1600

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5248

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6220

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6640

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6740

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6764
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  PID:5296
- - C:\Windows\SysWOW64\kaqhfaz.exe
    C:\Windows\system32\kaqhfaz.exe
    3⤵
    PID:6396
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:8280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240628062.bat
1⤵
PID:6944
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6716
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15608

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:7044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240658828.bat
  2⤵
  PID:14424

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6984

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5496

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5904

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6436

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6604

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6672

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6752

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3460

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6540

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5916

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6836

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:6928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240629062.bat
  2⤵
  PID:6940
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6752
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6724
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:9552
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:13408
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:11060
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:9000
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240659640.bat
  2⤵
  PID:12516
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:7464
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:9324

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6704

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6404

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6924

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5152

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7104

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240629500.bat
1⤵
PID:6020
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7864
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8068
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:12872
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:14000
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240664000.bat
    3⤵
    PID:8676
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15864

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6780

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3388

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6844

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5360

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240630250.bat
1⤵
PID:7272
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:12352
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3224
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5292

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:7364
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  PID:7892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240630687.bat
    3⤵
    PID:8132
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:9672
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:11708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240661656.bat
    3⤵
    PID:12384

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240663078.bat
  2⤵
  PID:13260

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7732

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7848

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7840

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6984

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240630828.bat
1⤵
PID:7356
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:13984
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15640

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6528

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6612

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240631093.bat
1⤵
PID:8060
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8312
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9220
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10172
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:13700
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5416

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7784

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7164

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240665921.bat
  2⤵
  PID:17308
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:14180

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7236

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:7804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240662421.bat
  2⤵
  PID:13988

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3388

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7752
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:11776

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240631859.bat
1⤵
PID:6612
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10820
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:12696
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:14960
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:14280
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15828

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:6212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240632000.bat
  2⤵
  PID:6932
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:9528
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:10836
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:13144
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:14928
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:15936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240662843.bat
  2⤵
  PID:17208

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7424

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7308

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7072

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7816

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240632406.bat
1⤵
PID:7180
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9356
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:14136
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:16968
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:15824
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:13192
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:14728
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240657234.bat
    3⤵
    PID:15492

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7964

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8080

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8180

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8208

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8444

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8688

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9060

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9112

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:9196
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  PID:7816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240663906.bat
    3⤵
    PID:15956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240663812.bat
  2⤵
  PID:4560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8556

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8172

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9184

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:8308

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8436

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7204

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8516

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8952

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8976

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240634125.bat
1⤵
PID:8520
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9572
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10828

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:8260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240665171.bat
  2⤵
  PID:14288

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9136

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:8864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240634812.bat
  2⤵
  PID:8572
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:15760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240665656.bat
  2⤵
  PID:13888

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240634984.bat
1⤵
PID:8524
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:16076
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2512
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10964
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:16904

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9076
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:9272
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:11544
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:13756
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10160
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6280
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:16048

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9272

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9332

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9488

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:9652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240666125.bat
  2⤵
  PID:14476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240663078.bat
    3⤵
    PID:16380
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:8232

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9976

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:8328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240666453.bat
  2⤵
  PID:7412

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3388

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9284

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9544

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240635906.bat
1⤵
PID:9944
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15288
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:11720
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9884

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9936

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9116

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1112

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9760

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:9732
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  PID:9248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240636484.bat
    3⤵
    PID:8432
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3944
- - C:\Windows\SysWOW64\kaqhfaz.exe
    C:\Windows\system32\kaqhfaz.exe
    3⤵
    PID:8908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\DFD240667468.bat
      4⤵
      PID:16036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240667328.bat
    3⤵
    PID:15556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240667250.bat
  2⤵
  PID:8440

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9828

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10108

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9840

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10056
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:16360
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:16088

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9668

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9292

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8948

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9744

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9992

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9456

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240637265.bat
1⤵
PID:10064
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10340
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:13268

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:10252
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  PID:10524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240668250.bat
    3⤵
    PID:9888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240668093.bat
  2⤵
  PID:15112

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10268

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10572

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10640

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10732

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:11040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11256

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10508

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10540

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9400
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10952
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:12344
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:13988
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:6536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\DFD240659515.bat
      4⤵
      PID:14276
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:15464
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:11776

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9428

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10384
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10820
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:14564
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15280

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11136

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10968

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10672

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240671609.bat
  2⤵
  PID:8064

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9804

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10828

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10016
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4552
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15528

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10220

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9716

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9936

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10184

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10996

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9828

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11332

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11468

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11628

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11656

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12060

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12180

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12276

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:10880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240671437.bat
  2⤵
  PID:8628

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10640

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10444
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:12496
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:11916

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11868

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11648

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11748

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11880

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9668

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11164

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11020

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12232

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11280

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9468

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:12284

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11664

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11424

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240642640.bat
1⤵
PID:10676
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:12460
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:12108

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10756

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11852

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11020

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12360

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12436

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12336

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12328

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12308

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12300

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
- Views/modifies file attributes
PID:12292

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9848

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12680

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240676281.bat
  2⤵
  PID:4836

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12768

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13268

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10756

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240645218.bat
1⤵
PID:12904
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:12576
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:12464
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7440

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12460

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7184

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13272

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12836

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12116

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12392

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12236

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12296

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12948

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
- Views/modifies file attributes
PID:12740

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:11168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240677140.bat
  2⤵
  - Drops file in System32 directory
  PID:4272

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11020

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240646546.bat
1⤵
PID:10820

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13492
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5684

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:13800
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  PID:14156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240647109.bat
  2⤵
  PID:14064
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:15076

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240647250.bat
1⤵
PID:14316
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:11976
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:12448

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12712

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:10448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240668265.bat
  2⤵
  PID:10836

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12080
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:9624
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:14256

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11028

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13088

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13172
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:16552
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5472
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8464
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:13156
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:14024

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14292

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14256

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14248

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14232

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14184

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14172

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14164

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14028

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13996
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:15200

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13968

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13928

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13892

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13352

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13252

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13340

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13448

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14012

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14284
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240656703.bat
    3⤵
    PID:3084
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
      4⤵
      PID:3164
- - C:\Windows\SysWOW64\kaqhfaz.exe
    C:\Windows\system32\kaqhfaz.exe
    3⤵
    PID:13112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240663484.bat
    3⤵
    PID:8840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
      4⤵
      PID:13672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240663546.bat
  2⤵
  PID:14972
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:17028
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:10176

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14196

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240649750.bat
1⤵
PID:11920
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:14876
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:8784
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:14048

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:13748
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  PID:14220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240667906.bat
    3⤵
    PID:5696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240667968.bat
  2⤵
  PID:13340

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13968

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13936

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12660

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3396

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14232
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:11920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13108

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13784

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13260
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:10560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12668

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13120

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11248

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11304

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11028

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13228
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:14560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13520

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12328

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13508

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13532

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240650953.bat
1⤵
PID:14616
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:17336
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6468

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14604

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14712

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14772

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15032

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15228

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12960

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14048

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12856

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14716

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240651812.bat
1⤵
PID:11416
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8624
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:16564

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14624

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12172

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240651984.bat
1⤵
PID:10708

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240652125.bat
1⤵
PID:15016
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:10480
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:16176

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:14828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240666000.bat
  2⤵
  PID:17256
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:7384

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13724

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15080

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14896

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240652421.bat
1⤵
PID:13696
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7568
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15108
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15772

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15168

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14916

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15032

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13100

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13528

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:14420

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3972

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13496

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12596

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3228

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14004

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15284

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13880

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13308

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240653015.bat
1⤵
PID:10392
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:14100
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8652

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11020

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10944

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240652937.bat
1⤵
PID:14920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1192

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:14116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240664859.bat
  2⤵
  PID:7196
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
    3⤵
    PID:11460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240652812.bat
1⤵
PID:12488
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7772
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240652796.bat
1⤵
PID:4232
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:17304
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:15588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:10984

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240652718.bat
1⤵
PID:14712
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:15456

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15172

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:15008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240665046.bat
  2⤵
  PID:8384

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14476

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240652578.bat
1⤵
PID:14844
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:15556
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:5836
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:13652

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15220

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13500

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15064

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12444
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:5476
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:3352

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15324

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240652562.bat
1⤵
PID:15000
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2948
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:8400
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15540

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14108

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11776

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13416

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15688

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15880

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15928

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16068

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:16464
- C:\Windows\SysWOW64\kaqhfaz.exe
  C:\Windows\system32\kaqhfaz.exe
  2⤵
  PID:16700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240658000.bat
  2⤵
  PID:16592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240661671.bat
  2⤵
  PID:13328

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240658078.bat
1⤵
PID:16780
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:8928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240658125.bat
1⤵
PID:16928
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:15996

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240658453.bat
1⤵
PID:17400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240658390.bat
1⤵
PID:17352
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:9572
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:9084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:17328

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:17320

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:17288

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:17208
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:6828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240658265.bat
1⤵
PID:17136
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:11100
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:5464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240658250.bat
1⤵
PID:17092
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240658656.bat
1⤵
PID:14836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240659828.bat
1⤵
PID:6732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240659968.bat
1⤵
PID:16420
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:1692
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:14952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240660125.bat
1⤵
PID:13496
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:11012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240658640.bat
1⤵
PID:12188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240660281.bat
1⤵
PID:4448
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:13164
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:16824

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:17052

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16952

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16684

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16676

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240657906.bat
1⤵
PID:16508
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:10260
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:2572

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 15600 -ip 15600
1⤵
PID:13820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240662328.bat
1⤵
PID:5144
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:4144
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:15920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15944

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1588

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8096

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240663140.bat
1⤵
PID:16116
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:14880

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16460

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16596

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:11424

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14108

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8160

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3352

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5528

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8240

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12972

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240665031.bat
1⤵
PID:16164
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:8888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240665515.bat
1⤵
PID:7508
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:13552

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240666062.bat
1⤵
PID:6160
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:9236

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:14948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240665828.bat
1⤵
PID:4584
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:12316

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:5336

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240666046.bat
1⤵
PID:7400
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:15476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240666656.bat
1⤵
PID:16176

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:2300

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:15824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240667109.bat
1⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240667609.bat
1⤵
PID:15364

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16660

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:9536

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:9628

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240668187.bat
1⤵
PID:14760

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:16088

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:15272

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:11912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240668109.bat
1⤵
PID:13744

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:11496

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240668046.bat
1⤵
PID:8836

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:5444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240667968.bat
1⤵
PID:16492

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8160

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:8632

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16316

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:16852

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:6336

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:16460

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:12932

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15528

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15996

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:15280

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15792

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7768

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5196

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
- Views/modifies file attributes
PID:15984

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240667718.bat
1⤵
PID:16032

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3436

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16160

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:8784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240667625.bat
1⤵
PID:6980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240667421.bat
1⤵
PID:11876

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3164

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:1348

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:17348

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:17376

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15144

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7436

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:8104

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:6720

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:16564

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:8828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240663703.bat
  2⤵
  PID:7752

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:14540

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:13540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240666984.bat
1⤵
PID:4368
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:5460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240666921.bat
1⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240666796.bat
1⤵
PID:3892
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:9388

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:3972

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:14644

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240664265.bat
  2⤵
  PID:5044

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240663625.bat
  2⤵
  PID:7992

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240663578.bat
  2⤵
  PID:6764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240661703.bat
    3⤵
    PID:15068

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:8448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240664578.bat
  2⤵
  PID:3712

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9200

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15352

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:5464

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8404

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:8324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240666734.bat
1⤵
PID:13708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240666687.bat
1⤵
PID:11384
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:4924

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240666468.bat
1⤵
PID:13112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240663296.bat
  2⤵
  PID:10740
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:13844

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:3580

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:16416

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:3908

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:6452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240665781.bat
1⤵
PID:2132

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11460

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240662296.bat
  2⤵
  PID:13516

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:4520

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14096

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8064

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9584

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6072

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13316

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14268

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11164

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:11584

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12180

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11208

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2988

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9748

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240665312.bat
1⤵
PID:11988

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5752

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5768

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:9428

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:11376

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6880

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7972

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15908

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10124
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:15872

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9072

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10992

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8232

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10352

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240664906.bat
1⤵
PID:12268
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:16620

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14512

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15492

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10064

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6896

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16088

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13844

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15052

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240659125.bat
  2⤵
  PID:16280

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1484

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9112

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14256

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16260

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13976

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6624

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12336

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16100

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:4552

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240664390.bat
1⤵
PID:14632
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:13136

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:17008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240664109.bat
1⤵
PID:8752

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:8284

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12448

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1648

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12480

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14060

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8888

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
- Drops file in System32 directory
PID:464

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5224

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:6448

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5532

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:4272

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:8892

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:8620

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10176

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240663312.bat
1⤵
PID:8248
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:16880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240663375.bat
1⤵
PID:5376
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:16488

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9808

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:11412

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16632

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15940

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16576

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16712

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6380

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5148

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:17120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 15640 -s 236
1⤵
- Program crash
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240662984.bat
1⤵
PID:13228

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 15456 -s 196
1⤵
- Program crash
PID:6900

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 15600 -s 228
1⤵
- Program crash
PID:15980

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240662843.bat
1⤵
PID:17364
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
  2⤵
  PID:7548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240662796.bat
1⤵
PID:6812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240662750.bat
1⤵
PID:14524

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:17340

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16312

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14072

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16248

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16252

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13340

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1768

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:12932

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7028

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11776

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:6280

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2800

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13500

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240673421.bat
1⤵
PID:11820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240675234.bat
1⤵
PID:9540

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5652

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:1936

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:5660

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15608

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240670687.bat
1⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240675468.bat
1⤵
PID:7800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240676890.bat
1⤵
PID:12720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240677203.bat
1⤵
PID:14396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240676984.bat
1⤵
PID:7140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240676859.bat
1⤵
PID:7520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240670843.bat
1⤵
PID:16344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240675046.bat
1⤵
PID:14096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240676609.bat
1⤵
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240668343.bat
1⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240668968.bat
1⤵
PID:7256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240674609.bat
1⤵
PID:10288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240676468.bat
1⤵
PID:16856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240675718.bat
1⤵
PID:11012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240669171.bat
1⤵
PID:6452

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1604

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:17016

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:9644

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:15724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240671125.bat
1⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240669890.bat
1⤵
PID:12696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240668765.bat
1⤵
PID:17132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240669781.bat
1⤵
PID:11516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240670031.bat
1⤵
PID:17068

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14376

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14504

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:7464

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:17072

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:6312

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\kaqhfaz.exe" -r -a -s -h
1⤵
PID:9320

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10280

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15928

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7536

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6416

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16360

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6896

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13976

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:4552

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:5364

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15908

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14512

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14080

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16888

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:7772

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15672

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240658718.bat
  2⤵
  PID:6872

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:10352

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:11000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240671750.bat
1⤵
PID:12312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240672031.bat
1⤵
PID:11676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240668625.bat
1⤵
PID:16092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240669484.bat
1⤵
PID:8120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240674859.bat
1⤵
PID:5304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240662546.bat
1⤵
PID:15564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240662375.bat
1⤵
PID:12536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 15456 -ip 15456
1⤵
PID:16772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 15640 -ip 15640
1⤵
PID:14180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240659390.bat
1⤵
PID:6108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240661718.bat
1⤵
PID:14660

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:4664

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240658984.bat
1⤵
PID:13388

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240657812.bat
1⤵
PID:16388

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6352

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14172

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14716

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16016

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16000

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1408

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15388

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240657765.bat
1⤵
PID:6132

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15712

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15584

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:4108

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15440

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6064

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15484

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:6092

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15324

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13676

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1512

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:13096

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:14120

C:\Windows\SysWOW64\kaqhfaz.exe
C:\Windows\system32\kaqhfaz.exe
1⤵
PID:16104

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:16032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240657484.bat
1⤵
PID:16024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240657468.bat
1⤵
PID:16008

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15992

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15984

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15976

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15888

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15804

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15796

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15788

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15780

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15680

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15664

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15672

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15656

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15648

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15624

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15616

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15600

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:15548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DFD240657203.bat
1⤵
PID:15448

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\064072765f6081e8eff5978ea8984d22.exe" -r -a -s -h
1⤵
PID:15380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DFD240621656.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240652796.bat

Filesize
173B

MD5
ffca287cc31a26e49b272dacf4ef9b69

SHA1
bd43ab9d9b2e2dfadd252683a17d3c5905be374c

SHA256
01c382f08b04a7784bc8507470191d2924aaa9fd26c651af6747ff1522b27077

SHA512
eda08b03c89fce7596642fb5f1a24e14b5ce35b54a85f94eeb70cf8733b5196a75d3ba1aae5e773ff8635eb644a398227bb8af582d05b16a39f4ea293a9ebebc

Download Submit
C:\DFD240656000.bat

Filesize
346B

MD5
bd2ba288701841ec8c1c47a69f7e7b5e

SHA1
56f9b0663beebae9e2cd09774b9554a864cfad08

SHA256
feb96adf1e1264069b0326be3bd7c61cd6a72fe0052e893b4c81ef91ac976857

SHA512
a82e3614f7ffeb137ad2b5e7781eff5f173676ec3a79350e216339a82b8949722cf95bd3a9c68a8a652e4a3bd0da7c12365b85b6f7d8f1b4c164cb96ef58df25

Download Submit
C:\Windows\Fonts\enhuafx.fon

Filesize
101B

MD5
dc4e6d382fdc3482ae2b359e01076d36

SHA1
66e688c2efd8e3dd41d08c7f9d6a0e425c5a8f3d

SHA256
171e79c3b731e0f997f68ed6e842e0e3adc97e87bafc88acb1638d231767721c

SHA512
3cbc7e68ddc20bf75f5990efd7119379603343c052e54e32e5c01d12c5eddf1ffdc758769cb88f77eb45249764022c1b1399173d437153cf9effe3c03a37be9a

Download Submit
C:\Windows\SysWOW64\kaqhfaz.exe

Filesize
13KB

MD5
064072765f6081e8eff5978ea8984d22

SHA1
716a4a97354b173affee7646af6ee73ad1be8355

SHA256
7f3f07afece25733b21324cc230e23c51b010b1b58dd2a51f78e19146e5d29ff

SHA512
58c51cba2fa2153b873a4126a1284df236614d40127a04daf15e1c5cd01a0aebc5b5979b393763ceaf35e4b136771a747315286ccf7ff691ffae7a50bce368f1

Download Submit
C:\Windows\SysWOW64\kaqhfcs.dll

Filesize
57B

MD5
d8e2be26b9766c0bb17217810dad166c

SHA1
53b15a586ab4349ebb26cd52896051d146e200df

SHA256
f0c5d11fb10f8a95778d87f70dc29a9f5c6903fb1ef15181ec05d2607f0eb879

SHA512
ff264da23d82204bd350a13575a2f7e8c5210b941d4ba4794831887e531ded58bff698dda24c083efb1cf6a42bd6c966c181d6c6f824150e9db78416e8fea450

Download Submit
C:\Windows\SysWOW64\kaqhfzy.dll

Filesize
17KB

MD5
27a7defa2e81608b9001fc089423d56e

SHA1
6ef1ba3d33bd4b58e247ed866b36251be602b9b1

SHA256
00f23cfa9b04dc1c9fafea8fb7a7eadf51b55c6d3b981a7a7949064329e76f88

SHA512
584d97dd5df537ce9fbb1fd54217fd1dfb2c79de3a40f76ae28cd674960718c154686aaf7b0497be94242422cfa3442af59a9e425d9dbe0a2a91956d64f0c037

Download Submit
C:\Windows\SysWOW64\kaqhfzy.dll

Filesize
10KB

MD5
35722051b25af69d7d5f2fba5642a5f2

SHA1
63c00c904062eb760593404b814255f549b27016

SHA256
abdabb563834854405fe77841b8983661148990b8f1d94f5ed765ee060a30669

SHA512
80feab0fb9b9f701e17181fa602890d758e19b4b79b7cba9a9525e232ff3ee9415e3e060ec1ebcfb73ae12c997980de6afda01de5a6f26a5b4ef1ffc62124680

Download Submit
C:\Windows\SysWOW64\kaqhfzy.dll

Filesize
19KB

MD5
77cbc7015923de62815af9e5d9fed4be

SHA1
e5bc519e6e95fb456faea127519e304021eab212

SHA256
72ad2eb67ed750a6c1b5505471173014708a29d6e17d95efbe57f1a2b8c9c6bb

SHA512
cdede606627098b5f83a5251d41f5d006bd278252566f5d5eaf8abc644dbc24cc2aa73a95bbb9c9ee92f7738ea79ed384051a4c59823aa4b93999740f212fcf2

Download Submit
memory/312-34-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3304-157-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3304-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3940-327-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3956-111-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4224-65-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4296-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4296-173-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5576-438-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5736-582-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6728-649-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/8448-992-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/8644-980-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download