73d5f4ecb862e112d7e531f648d6a307fe7ba6681fc993b64347dfa5d34621b8

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

091ede7a0f32484f35b6450b9c42a03b.exe
Size

11KB
MD5

091ede7a0f32484f35b6450b9c42a03b
SHA1

5c2a5839161144357558354e757e6e5d1cb85383
SHA256

73d5f4ecb862e112d7e531f648d6a307fe7ba6681fc993b64347dfa5d34621b8
SHA512

7f54885c093dd94be69799db44092acf8a9e065744577875bebf920c89b1a819dc067461fba1c2f8162252373eca42634772d8864f60d10a4f90adc581f9ce32
SSDEEP

192:ItOeQY0Cw/dRldb/U9UnlSIqurDt199HjAWJ4kbln+btRltKjBP5U9s8MieUkgUj:ItOeQYNurP64SIJrEw4kF6tvs1S9jMiA

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3084	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2816	kawdbaz.exe
756	kawdbaz.exe
1672	kawdbaz.exe
2892	kawdbaz.exe
3024	kawdbaz.exe
1324	kawdbaz.exe
3056	kawdbaz.exe
2804	kawdbaz.exe
1500	kawdbaz.exe
2764	kawdbaz.exe
2180	kawdbaz.exe
2252	kawdbaz.exe
1276	kawdbaz.exe
2720	kawdbaz.exe
572	attrib.exe
1876	kawdbaz.exe
1928	attrib.exe
580	kawdbaz.exe
2060	kawdbaz.exe
1120	kawdbaz.exe
368	kawdbaz.exe
2640	kawdbaz.exe
2076	kawdbaz.exe
2136	kawdbaz.exe
364	kawdbaz.exe
1304	kawdbaz.exe
1860	kawdbaz.exe
2752	kawdbaz.exe
1628	kawdbaz.exe
3716	kawdbaz.exe
2736	kawdbaz.exe
3656	kawdbaz.exe
3856	kawdbaz.exe
2768	kawdbaz.exe
1940	kawdbaz.exe
3056	Process not Found
3116	Process not Found
3144	Process not Found
3812	Process not Found
3128	Process not Found
3276	Process not Found
996	Process not Found
880	Process not Found
3972	Process not Found
1896	Process not Found
4000	Process not Found
2008	Process not Found
1060	Process not Found
2936	Process not Found
3068	Process not Found
1644	Process not Found
2924	Process not Found
948	Process not Found
4220	Process not Found
2560	Process not Found
5024	Process not Found
3408	Process not Found
4336	Process not Found
3048	Process not Found
4108	Process not Found
3872	Process not Found
3800	Process not Found
4416	Process not Found
1644	Process not Found

Loads dropped DLL 64 IoCs

pid	Process
2040	091ede7a0f32484f35b6450b9c42a03b.exe
2040	091ede7a0f32484f35b6450b9c42a03b.exe
2816	kawdbaz.exe
2816	kawdbaz.exe
756	kawdbaz.exe
756	kawdbaz.exe
1672	kawdbaz.exe
1672	kawdbaz.exe
2892	kawdbaz.exe
2892	kawdbaz.exe
3024	kawdbaz.exe
3024	kawdbaz.exe
1324	kawdbaz.exe
1324	kawdbaz.exe
3056	kawdbaz.exe
3056	kawdbaz.exe
2804	kawdbaz.exe
2804	kawdbaz.exe
1500	kawdbaz.exe
1500	kawdbaz.exe
2764	kawdbaz.exe
2764	kawdbaz.exe
2180	kawdbaz.exe
2180	kawdbaz.exe
2252	kawdbaz.exe
2252	kawdbaz.exe
1276	kawdbaz.exe
1276	kawdbaz.exe
2720	kawdbaz.exe
2720	kawdbaz.exe
572	attrib.exe
572	attrib.exe
1876	kawdbaz.exe
1876	kawdbaz.exe
1928	attrib.exe
1928	attrib.exe
580	kawdbaz.exe
580	kawdbaz.exe
2060	kawdbaz.exe
2060	kawdbaz.exe
1120	kawdbaz.exe
1120	kawdbaz.exe
368	kawdbaz.exe
368	kawdbaz.exe
2640	kawdbaz.exe
2640	kawdbaz.exe
2076	kawdbaz.exe
2076	kawdbaz.exe
2136	kawdbaz.exe
2136	kawdbaz.exe
364	kawdbaz.exe
364	kawdbaz.exe
1304	kawdbaz.exe
1304	kawdbaz.exe
1860	kawdbaz.exe
1860	kawdbaz.exe
2752	kawdbaz.exe
2752	kawdbaz.exe
1628	kawdbaz.exe
1628	kawdbaz.exe
3716	kawdbaz.exe
3716	kawdbaz.exe
2736	kawdbaz.exe
2736	kawdbaz.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\kawdacs.dll	kawdbaz.exe
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbzy.dll	kawdbaz.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\kawdbzy.dll	kawdbaz.exe
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	kawdbaz.exe
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File created	C:\Windows\SysWOW64\kawdbzy.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kawdbaz.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File created	C:\Windows\SysWOW64\kawdbzy.dll	kawdbaz.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\enweafx.fon	Process not Found
File opened for modification	C:\Windows\Fonts\enweafx.fon	091ede7a0f32484f35b6450b9c42a03b.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	kawdbaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	kawdbaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	kawdbaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	kawdbaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	kawdbaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	kawdbaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	091ede7a0f32484f35b6450b9c42a03b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	kawdbaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	091ede7a0f32484f35b6450b9c42a03b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	kawdbaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	attrib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	kawdbaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	kawdbaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	kawdbaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32	kawdbaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28907901-1416-3389-9981-372178569982}\InprocServer32\ = "C:\\Windows\\SysWow64\\kawdbzy.dll"	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	091ede7a0f32484f35b6450b9c42a03b.exe
2816	kawdbaz.exe
756	kawdbaz.exe
1672	kawdbaz.exe
2892	kawdbaz.exe
3024	kawdbaz.exe
1324	kawdbaz.exe
3056	kawdbaz.exe
2804	kawdbaz.exe
1500	kawdbaz.exe
2764	kawdbaz.exe
2180	kawdbaz.exe
2252	kawdbaz.exe
1276	kawdbaz.exe
2720	kawdbaz.exe
572	attrib.exe
1876	kawdbaz.exe
1928	attrib.exe
580	kawdbaz.exe
2060	kawdbaz.exe
1120	kawdbaz.exe
368	kawdbaz.exe
2640	kawdbaz.exe
2076	kawdbaz.exe
2076	kawdbaz.exe
2136	kawdbaz.exe
2136	kawdbaz.exe
364	kawdbaz.exe
364	kawdbaz.exe
1304	kawdbaz.exe
1304	kawdbaz.exe
1860	kawdbaz.exe
1860	kawdbaz.exe
2752	kawdbaz.exe
2752	kawdbaz.exe
2752	kawdbaz.exe
1628	kawdbaz.exe
1628	kawdbaz.exe
1628	kawdbaz.exe
1628	kawdbaz.exe
3716	kawdbaz.exe
3716	kawdbaz.exe
3716	kawdbaz.exe
3716	kawdbaz.exe
2736	kawdbaz.exe
2736	kawdbaz.exe
2736	kawdbaz.exe
2736	kawdbaz.exe
2736	kawdbaz.exe
3656	kawdbaz.exe
3656	kawdbaz.exe
3656	kawdbaz.exe
3656	kawdbaz.exe
3856	kawdbaz.exe
3856	kawdbaz.exe
3856	kawdbaz.exe
3856	kawdbaz.exe
3856	kawdbaz.exe
2768	kawdbaz.exe
2768	kawdbaz.exe
2768	kawdbaz.exe
2768	kawdbaz.exe
2768	kawdbaz.exe
1940	kawdbaz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2980	2040	091ede7a0f32484f35b6450b9c42a03b.exe	28
PID 2040 wrote to memory of 2980	2040	091ede7a0f32484f35b6450b9c42a03b.exe	28
PID 2040 wrote to memory of 2980	2040	091ede7a0f32484f35b6450b9c42a03b.exe	28
PID 2040 wrote to memory of 2980	2040	091ede7a0f32484f35b6450b9c42a03b.exe	28
PID 2980 wrote to memory of 2656	2980	cmd.exe	247
PID 2980 wrote to memory of 2656	2980	cmd.exe	247
PID 2980 wrote to memory of 2656	2980	cmd.exe	247
PID 2980 wrote to memory of 2656	2980	cmd.exe	247
PID 2040 wrote to memory of 2816	2040	091ede7a0f32484f35b6450b9c42a03b.exe	31
PID 2040 wrote to memory of 2816	2040	091ede7a0f32484f35b6450b9c42a03b.exe	31
PID 2040 wrote to memory of 2816	2040	091ede7a0f32484f35b6450b9c42a03b.exe	31
PID 2040 wrote to memory of 2816	2040	091ede7a0f32484f35b6450b9c42a03b.exe	31
PID 2816 wrote to memory of 2668	2816	kawdbaz.exe	334
PID 2816 wrote to memory of 2668	2816	kawdbaz.exe	334
PID 2816 wrote to memory of 2668	2816	kawdbaz.exe	334
PID 2816 wrote to memory of 2668	2816	kawdbaz.exe	334
PID 2980 wrote to memory of 2736	2980	cmd.exe	333
PID 2980 wrote to memory of 2736	2980	cmd.exe	333
PID 2980 wrote to memory of 2736	2980	cmd.exe	333
PID 2980 wrote to memory of 2736	2980	cmd.exe	333
PID 2980 wrote to memory of 2780	2980	cmd.exe	332
PID 2980 wrote to memory of 2780	2980	cmd.exe	332
PID 2980 wrote to memory of 2780	2980	cmd.exe	332
PID 2980 wrote to memory of 2780	2980	cmd.exe	332
PID 2668 wrote to memory of 2732	2668	cmd.exe	331
PID 2668 wrote to memory of 2732	2668	cmd.exe	331
PID 2668 wrote to memory of 2732	2668	cmd.exe	331
PID 2668 wrote to memory of 2732	2668	cmd.exe	331
PID 2980 wrote to memory of 868	2980	cmd.exe	330
PID 2980 wrote to memory of 868	2980	cmd.exe	330
PID 2980 wrote to memory of 868	2980	cmd.exe	330
PID 2980 wrote to memory of 868	2980	cmd.exe	330
PID 2668 wrote to memory of 2848	2668	cmd.exe	242
PID 2668 wrote to memory of 2848	2668	cmd.exe	242
PID 2668 wrote to memory of 2848	2668	cmd.exe	242
PID 2668 wrote to memory of 2848	2668	cmd.exe	242
PID 2980 wrote to memory of 2948	2980	cmd.exe	241
PID 2980 wrote to memory of 2948	2980	cmd.exe	241
PID 2980 wrote to memory of 2948	2980	cmd.exe	241
PID 2980 wrote to memory of 2948	2980	cmd.exe	241
PID 2668 wrote to memory of 2584	2668	cmd.exe	329
PID 2668 wrote to memory of 2584	2668	cmd.exe	329
PID 2668 wrote to memory of 2584	2668	cmd.exe	329
PID 2668 wrote to memory of 2584	2668	cmd.exe	329
PID 2980 wrote to memory of 368	2980	cmd.exe	328
PID 2980 wrote to memory of 368	2980	cmd.exe	328
PID 2980 wrote to memory of 368	2980	cmd.exe	328
PID 2980 wrote to memory of 368	2980	cmd.exe	328
PID 2816 wrote to memory of 756	2816	kawdbaz.exe	327
PID 2816 wrote to memory of 756	2816	kawdbaz.exe	327
PID 2816 wrote to memory of 756	2816	kawdbaz.exe	327
PID 2816 wrote to memory of 756	2816	kawdbaz.exe	327
PID 2668 wrote to memory of 2576	2668	cmd.exe	238
PID 2668 wrote to memory of 2576	2668	cmd.exe	238
PID 2668 wrote to memory of 2576	2668	cmd.exe	238
PID 2668 wrote to memory of 2576	2668	cmd.exe	238
PID 2980 wrote to memory of 2592	2980	cmd.exe	235
PID 2980 wrote to memory of 2592	2980	cmd.exe	235
PID 2980 wrote to memory of 2592	2980	cmd.exe	235
PID 2980 wrote to memory of 2592	2980	cmd.exe	235
PID 2668 wrote to memory of 2616	2668	cmd.exe	326
PID 2668 wrote to memory of 2616	2668	cmd.exe	326
PID 2668 wrote to memory of 2616	2668	cmd.exe	326
PID 2668 wrote to memory of 2616	2668	cmd.exe	326

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4872	Process not Found
2012	attrib.exe
3148	Process not Found
4028	Process not Found
4420	Process not Found
2392	Process not Found
840	Process not Found
3696	Process not Found
884	attrib.exe
1948	Process not Found
5448	Process not Found
2832	attrib.exe
4280	Process not Found
4676	Process not Found
1200	Process not Found
2952	Process not Found
1780	Process not Found
584	attrib.exe
916	attrib.exe
4704	Process not Found
2708	attrib.exe
1520	Process not Found
3680	Process not Found
3060	attrib.exe
3932	Process not Found
3860	Process not Found
1924	Process not Found
3180	Process not Found
3896	Process not Found
4996	Process not Found
5000	Process not Found
4872	Process not Found
2596	Process not Found
2596	Process not Found
2128	Process not Found
3504	Process not Found
4016	attrib.exe
2624	Process not Found
2764	Process not Found
1688	Process not Found
2136	attrib.exe
1688	Process not Found
5624	Process not Found
5616	Process not Found
548	Process not Found
2456	attrib.exe
3248	attrib.exe
4848	Process not Found
4632	Process not Found
4580	Process not Found
4884	Process not Found
1968	attrib.exe
4048	Process not Found
2676	Process not Found
4224	Process not Found
2132	attrib.exe
3492	Process not Found
2004	Process not Found
320	Process not Found
4664	Process not Found
4940	Process not Found
4180	Process not Found
3000	Process not Found
1464	attrib.exe

C:\Users\Admin\AppData\Local\Temp\091ede7a0f32484f35b6450b9c42a03b.exe
"C:\Users\Admin\AppData\Local\Temp\091ede7a0f32484f35b6450b9c42a03b.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259416808.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:584
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:2656
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:240
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:896
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:872
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2680
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:576
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3700
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3448
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:520
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:868
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:344
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:916
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:2456
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:996
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:3036
- C:\Windows\SysWOW64\kawdbaz.exe
  C:\Windows\system32\kawdbaz.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\kawdbaz.exe
    C:\Windows\system32\kawdbaz.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\DFD259447867.bat
      4⤵
      PID:296
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:3740
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:1368
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259417042.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1196
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:296
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2828
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1164
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:3820
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259447711.bat
    3⤵
    PID:1984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:3756
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:3784
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:1896
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:3084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259447571.bat
  2⤵
  - Deletes itself
  PID:3084
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\091ede7a0f32484f35b6450b9c42a03b.exe" -r -a -s -h
    3⤵
    PID:3860

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2848
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1064
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:344
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1940
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1520
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2952
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1552
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2484
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2716
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1100
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:808
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2860

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2576

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2540

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:688

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1280

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3064

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
- Views/modifies file attributes
PID:1968

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1580

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2328

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1872

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2260

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1324
- C:\Windows\SysWOW64\kawdbaz.exe
  C:\Windows\system32\kawdbaz.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259448866.bat
    3⤵
    PID:1580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:3352
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:4056
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:3272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259418025.bat
  2⤵
  PID:2428
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:688
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:240
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:344
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259448694.bat
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:1500

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2476

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259419039.bat
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:240
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:312
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:608
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:704
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:640
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:584
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3776
- C:\Windows\SysWOW64\kawdbaz.exe
  C:\Windows\system32\kawdbaz.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259449864.bat
    3⤵
    PID:3096
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:2304
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:576
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:3820

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1532

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2144

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2156

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2752

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2784

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1752

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2912

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259418883.bat
1⤵
PID:2148
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2420
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1184
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2616
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2692
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2156
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1908
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3036
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2828
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1160
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2372
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:2136
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1680
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2008
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3048
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1368
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3060
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:2152
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:640
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1280
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1580
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1688
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2840
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2468
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3356
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3120
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3644

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2144

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2292

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2756

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1020

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:564

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2884

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2376

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:916

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
PID:1928

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:896

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:704

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2324

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1716

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1908

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2332

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:640

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2044

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:628

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2372

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:904

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1932

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2232

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1628

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259419663.bat
1⤵
PID:440
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3048
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2708
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:800
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2440
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1164
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:1468
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1800
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1948
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1580
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1816
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1736
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2548
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:840
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1624
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2304
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2088
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:344
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3676
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3928
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3368

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259450769.bat
  2⤵
  PID:3296
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:2832

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
- Views/modifies file attributes
PID:1464

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:576

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2344

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2880

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1160

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:800

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1580

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259419507.bat
1⤵
PID:544
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1736
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2608
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:608
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3044
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2016
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2468
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:364
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2904
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1736
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2548
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3004
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2224
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1060
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1956
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:344
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2388
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3020
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2736
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:312
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:884
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3236
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3772
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3260
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3860

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:880

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
PID:572

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2132

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2316

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1344

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2100

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1924

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:268

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:588

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259419351.bat
1⤵
PID:2580
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2136
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2384
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2904
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:640
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2752
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2132
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2044
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1860
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:576
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2088
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2784
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2468
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1612
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:952
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1520
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2012
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2512
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4080
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3164
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1636
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3036
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1744

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259450020.bat
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:2020

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2596

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2724

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2828

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
- Views/modifies file attributes
PID:2708

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2820

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2864

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1060

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259419195.bat
1⤵
PID:2228
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2688
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2864
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1352
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2664
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2024
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1296
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2780
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2896
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2260
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2416
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2896
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1612
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1716
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2864
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1896
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:296
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2512
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1968
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2756
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:840
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3812
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:2624
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:312
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4044
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1468
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4088

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3032

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2488

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1972

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2288

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3048

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1164

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1900

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2304

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2432

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259449693.bat
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:2132
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3080
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3192

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:704

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259420255.bat
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:840
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:240
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:2012
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:628
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1608

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:952

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2020

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1612

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2324

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2404

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1664

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2372

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259449537.bat
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3940

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2420

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2080

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2664

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1932

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2232

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1524

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2480

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1984

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2512

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1164

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3008

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2144

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259418727.bat
1⤵
PID:1668

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1632

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2896

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2876

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2292

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1468

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1368

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1956

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3064

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259449396.bat
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:1692

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:364

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:872

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2244

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2064

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:108

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259418571.bat
1⤵
PID:2740

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2676

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2860

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259450176.bat
  2⤵
  PID:2248
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:1956

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259449225.bat
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:2884

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1648

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2592

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2676

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2576

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1499794464530344052617194817140475680566730415719341082-1730021134-47994006"
1⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259418383.bat
1⤵
PID:2848
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2820
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3020
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1636
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2388
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1904
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3060
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:868
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2420
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1636
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2332
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:240
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2328
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:836
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2860
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1568
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3064
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2456
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1684
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3924
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3188
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3936
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1924
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1716

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:868

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1168

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2756

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2788

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2800

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2864

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259449084.bat
  2⤵
  PID:2372
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3276

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2672

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1364

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259418212.bat
1⤵
PID:2648
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1896
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:312
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2868
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:608
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1816
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1164
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2096
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1576
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1684
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2416
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2596
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2636
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1780
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:2808
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2232
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2508
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2008
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3368
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4000
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1500
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4012
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3240
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1100

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2472

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2240

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:884

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2392

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:3048

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1472

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2140

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2888

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1900

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1928
- C:\Windows\SysWOW64\kawdbaz.exe
  C:\Windows\system32\kawdbaz.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259424265.bat
    3⤵
    PID:872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1896
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3508
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3280
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2440
- - C:\Windows\SysWOW64\kawdbaz.exe
    C:\Windows\system32\kawdbaz.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\DFD259428071.bat
      4⤵
      PID:980
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1704
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2332
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3040
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1704
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1624
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1728
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1940
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3684
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4076
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2744
  - - C:\Windows\SysWOW64\kawdbaz.exe
      C:\Windows\system32\kawdbaz.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:1120
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431347.bat
        5⤵
        
        PID:2688
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2624
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:296
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:808
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2316
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1468
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2508
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2488
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Views/modifies file attributes
        
        PID:3060
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:2904
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1164
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1084
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4064
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2816
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4004
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:640
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:3116
    - - C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:368
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434405.bat
        6⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3148
      - C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434763.bat
        7⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259441269.bat
        8⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259441955.bat
        9⤵
        
        PID:268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259444279.bat
        10⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        Views/modifies file attributes
        
        PID:4016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        Views/modifies file attributes
        
        PID:3248
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259444810.bat
        11⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259445059.bat
        12⤵
        
        PID:564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259445340.bat
        13⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        Drops file in System32 directory
        
        PID:996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259445839.bat
        14⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259463639.bat
        15⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259464653.bat
        16⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259465917.bat
        17⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259466900.bat
        18⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259467804.bat
        19⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\kawdbaz.exe
        
        C:\Windows\system32\kawdbaz.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259465308.bat
        6⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        7⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        7⤵
        
        PID:756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        7⤵
        
        PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259464887.bat
        5⤵
        
        PID:2804
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        6⤵
        
        PID:2880
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        6⤵
        
        PID:2412
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        6⤵
        
        PID:3912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\DFD259461814.bat
      4⤵
      PID:3264
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:3732
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:3968
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:4088
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:3212
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:3292
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
        5⤵
        
        PID:3824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259458554.bat
    3⤵
    PID:3132
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:3900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
      4⤵
      PID:4080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259454763.bat
  2⤵
  PID:3216
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:3900
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3772

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1200

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2404

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:704

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259417822.bat
1⤵
PID:1212
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1688
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:880
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2076
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1684
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2608
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:112
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2828
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2324
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:2832
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2232
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1296
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2440
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2680
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:704
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2756
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2480
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1200
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2372
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:636
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3112
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3196
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3904
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3224
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3868

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2324

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1692

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2456

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1904

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259448492.bat
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3828

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1196

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259417572.bat
1⤵
PID:1884
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2680
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:564
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:808
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1980
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:2088
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2016
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2724
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3064
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1680
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2536
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2832
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1968
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1684
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2128
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2084
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2728
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2468
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3908
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2292
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3848
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3040
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3692

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1304

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2396

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:320

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
- Drops file in System32 directory
PID:1668
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:296
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2376
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1220
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2632
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1520
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2912
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2512
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1960
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2664
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2788
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1712
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2028
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2088
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1924
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2784
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3040
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3688
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1608
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2492
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2720
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:884

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1064

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1368

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259448289.bat
  2⤵
  PID:2240
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3972

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1100

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1468

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:240

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259417401.bat
1⤵
PID:1936
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2724
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:320
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1536
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2488
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2452
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1616
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1536
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2632
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1896
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1864
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:896
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:576
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2432
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2316
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2860
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1640
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3128
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3496
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3708
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2808

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1644

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2532

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:860

C:\Windows\SysWOW64\kawdbaz.exe
C:\Windows\system32\kawdbaz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259448070.bat
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:628
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\kawdbaz.exe" -r -a -s -h
    3⤵
    PID:2816

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:580

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259417213.bat
1⤵
PID:2620
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1576
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:836
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2288
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1948
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1612
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:884
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2636
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2756
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2304
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2248
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2508
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1752
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:636
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2348
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1636
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3120
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2744
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3872
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1680
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1644

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2616

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2584

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5755476481842224880-2090979388-525280121840933052-433410608-2116917204-902109788"
1⤵
PID:2616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-520068067-2056367993548315065-6551642411543926533-1879760695-691202020-520027217"
1⤵
PID:608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-126563015-1529052891139877530-1113164637-1566998575-738716319-306326849-1492032256"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-209222608139407430712584207271236668741145078474-1914350643603284229-2138784071"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11413621741435351366-1076392785-426502864-64576493413310401411486071904-212772697"
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DFD259416808.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD259447571.bat

Filesize
290B

MD5
0ca3bbda4f251dcc485b0af37cd9a647

SHA1
e294470254b1f1b8ec3b25e5b5ce84786dd5ecaa

SHA256
deebbaf8812cc53b50d463289d76cd48bebd32f01f8d88aeeee7c14f59aba546

SHA512
a93b0722860d0baa43a61d7b321d7e90bf64ce6e7c0973ceba4f047f3eee1dd1f252793641eebd9a8feac880d6c7a350d04e0cd6cf94b1587b211ed093b10f5f

Download Submit
C:\DFD259449225.bat

Filesize
173B

MD5
fbc4b0b0c28ae418f918878e1256568f

SHA1
51f5311b0f2886387e495136920724cea15c6e14

SHA256
e50b387312e44d2cf5ba080a39087e2b86a39866480c1ac4260311368b70bc7d

SHA512
439342709a9cae1a058d63c3d7cc2098bffb4e4b1eb6e59ceeae5a306214453e3bd943440f0a228b5e1a4432082788ad581233c77674f4c4ed11c5e1a15a821f

Download Submit
C:\Windows\Fonts\enweafx.fon

Filesize
95B

MD5
4d1f601896e9197fdf20b32167ae85b6

SHA1
4f19fe7cdb5af5e0a1f1a1e4222313fd417a1b67

SHA256
5ef1580b851cde82dcafac9c00bd3040afa5534f1902be46d0b8dc6a5a28d8a5

SHA512
0b9f198267b46cae03fa934b20bb7e061899336a3a62b4496f3d0232530f2609a4fb86a3605c77b121acc82ccecd5f9b4622f59f167f4115e60115c0d23020ca

Download Submit
C:\Windows\SysWOW64\kawdacs.dll

Filesize
54B

MD5
a80d3850aabe044b2435f515a2f1e4d1

SHA1
8294bd5fbff2cd5fc06ead0b867f318f1d5acb50

SHA256
3b02c6774cf6f8bcd53633fc08f74f39f333913128ed18341a5f43c47e80d640

SHA512
babdbf4acdacd8d88b2bb386528540571fce043271bb952a57b5def17fba98d6d739b4b091ddfb9165665e388cadd57a77357efb668e9d2febd748c99c6b937d

Download Submit
C:\Windows\SysWOW64\kawdbaz.exe

Filesize
8KB

MD5
077194a9dee982550fcb8c212a08757d

SHA1
1cc080d73d8614b9cacb6ad3d02c11b8a5a7910c

SHA256
bd4be3a2d73b98755fcb3e69dd450f5dc1c634973ce8fbe20cee1e61477dd8c4

SHA512
26901772f53db7da9b52ee9ae241a7415d62e691372dd41635275447d6b2155926f53ad77c367aa442e997aa199d8ace8d83ed5dd4ae30397635c7b5161f48f0

Download Submit
C:\Windows\SysWOW64\kawdbzy.dll

Filesize
17KB

MD5
df70a54d8e00148b724763de5fecb591

SHA1
f269358e182a9f554f853d35a7649216ea817fa5

SHA256
c060aab22e0d4f4cb26aafdb997a338a5d514c46641d24ffa68dd4d323332e33

SHA512
bd2d0ebba37614f9c53332079464ecd13e29b88dcbd8f9f58caa089340e1ca25b32bc99f0882d2fa499d19446df9d527ef36d59b6f4f01856de28298f6bdeb68

Download Submit
\Windows\SysWOW64\kawdbaz.exe

Filesize
11KB

MD5
091ede7a0f32484f35b6450b9c42a03b

SHA1
5c2a5839161144357558354e757e6e5d1cb85383

SHA256
73d5f4ecb862e112d7e531f648d6a307fe7ba6681fc993b64347dfa5d34621b8

SHA512
7f54885c093dd94be69799db44092acf8a9e065744577875bebf920c89b1a819dc067461fba1c2f8162252373eca42634772d8864f60d10a4f90adc581f9ce32

Download Submit
memory/948-1174-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/948-1175-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/996-956-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/996-955-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/996-1043-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/996-1042-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/1060-1176-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1060-1177-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1060-1061-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1324-141-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1500-193-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1644-1124-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1644-1227-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1644-1228-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1644-1116-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1672-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1896-1080-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1896-1007-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1896-1079-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1896-1008-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1928-393-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/2008-1044-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2008-1136-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2040-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2040-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2040-28-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2040-22-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2060-358-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2076-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2076-427-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2252-309-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2560-1229-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2720-275-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2736-719-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2768-753-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-139-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2892-102-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2924-1135-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2924-1134-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2936-1208-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2936-1081-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3024-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3056-818-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/3056-258-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3056-937-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/3056-155-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3068-1226-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/3068-1114-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/3068-1115-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/3116-835-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3116-954-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3128-917-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3128-1009-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3656-810-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/3656-736-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/3716-761-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/3716-686-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/3812-852-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3812-989-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3972-990-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3972-1078-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/4220-1209-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download