6bde7d605ef38189e2354d743a1df62ed2527debf7cfb35ee2ab97e7b048babf

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78b0425ec1fdffb50dca8c3e49c045f7.dll
Size

15KB
MD5

78b0425ec1fdffb50dca8c3e49c045f7
SHA1

f192a6fda9d71900f07fe9c04d374a3ace317d61
SHA256

6bde7d605ef38189e2354d743a1df62ed2527debf7cfb35ee2ab97e7b048babf
SHA512

20d58783efa66f6aac5edfea33ca1b36fd111a935db9d1b3ea624c0a981feccd80e0e9f763714c5a1bfdd2757361783dd3104a2b031ab3954d1efe9d926d7b07
SSDEEP

384:Xm96zMObd7c7PS/seyo4w0mlwEcBcXj+2gzccVYYOywc:WkjRI7Yhi1qz1gccJn

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\verclsid.exe	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2040	2200	rundll32.exe	28
PID 2200 wrote to memory of 2040	2200	rundll32.exe	28
PID 2200 wrote to memory of 2040	2200	rundll32.exe	28
PID 2200 wrote to memory of 2040	2200	rundll32.exe	28
PID 2200 wrote to memory of 2040	2200	rundll32.exe	28
PID 2200 wrote to memory of 2040	2200	rundll32.exe	28
PID 2200 wrote to memory of 2040	2200	rundll32.exe	28
PID 2040 wrote to memory of 2432	2040	rundll32.exe	29
PID 2040 wrote to memory of 2432	2040	rundll32.exe	29
PID 2040 wrote to memory of 2432	2040	rundll32.exe	29
PID 2040 wrote to memory of 2432	2040	rundll32.exe	29
PID 2432 wrote to memory of 2716	2432	cmd.exe	31
PID 2432 wrote to memory of 2716	2432	cmd.exe	31
PID 2432 wrote to memory of 2716	2432	cmd.exe	31
PID 2432 wrote to memory of 2716	2432	cmd.exe	31
PID 2432 wrote to memory of 2676	2432	cmd.exe	32
PID 2432 wrote to memory of 2676	2432	cmd.exe	32
PID 2432 wrote to memory of 2676	2432	cmd.exe	32
PID 2432 wrote to memory of 2676	2432	cmd.exe	32
PID 2432 wrote to memory of 2720	2432	cmd.exe	33
PID 2432 wrote to memory of 2720	2432	cmd.exe	33
PID 2432 wrote to memory of 2720	2432	cmd.exe	33
PID 2432 wrote to memory of 2720	2432	cmd.exe	33
PID 2432 wrote to memory of 2812	2432	cmd.exe	34
PID 2432 wrote to memory of 2812	2432	cmd.exe	34
PID 2432 wrote to memory of 2812	2432	cmd.exe	34
PID 2432 wrote to memory of 2812	2432	cmd.exe	34
PID 2432 wrote to memory of 2788	2432	cmd.exe	35
PID 2432 wrote to memory of 2788	2432	cmd.exe	35
PID 2432 wrote to memory of 2788	2432	cmd.exe	35
PID 2432 wrote to memory of 2788	2432	cmd.exe	35
PID 2432 wrote to memory of 2796	2432	cmd.exe	36
PID 2432 wrote to memory of 2796	2432	cmd.exe	36
PID 2432 wrote to memory of 2796	2432	cmd.exe	36
PID 2432 wrote to memory of 2796	2432	cmd.exe	36
PID 2432 wrote to memory of 2816	2432	cmd.exe	37
PID 2432 wrote to memory of 2816	2432	cmd.exe	37
PID 2432 wrote to memory of 2816	2432	cmd.exe	37
PID 2432 wrote to memory of 2816	2432	cmd.exe	37
PID 2432 wrote to memory of 2984	2432	cmd.exe	38
PID 2432 wrote to memory of 2984	2432	cmd.exe	38
PID 2432 wrote to memory of 2984	2432	cmd.exe	38
PID 2432 wrote to memory of 2984	2432	cmd.exe	38
PID 2432 wrote to memory of 2976	2432	cmd.exe	39
PID 2432 wrote to memory of 2976	2432	cmd.exe	39
PID 2432 wrote to memory of 2976	2432	cmd.exe	39
PID 2432 wrote to memory of 2976	2432	cmd.exe	39
PID 2432 wrote to memory of 2780	2432	cmd.exe	40
PID 2432 wrote to memory of 2780	2432	cmd.exe	40
PID 2432 wrote to memory of 2780	2432	cmd.exe	40
PID 2432 wrote to memory of 2780	2432	cmd.exe	40
PID 2432 wrote to memory of 2732	2432	cmd.exe	41
PID 2432 wrote to memory of 2732	2432	cmd.exe	41
PID 2432 wrote to memory of 2732	2432	cmd.exe	41
PID 2432 wrote to memory of 2732	2432	cmd.exe	41
PID 2432 wrote to memory of 2604	2432	cmd.exe	42
PID 2432 wrote to memory of 2604	2432	cmd.exe	42
PID 2432 wrote to memory of 2604	2432	cmd.exe	42
PID 2432 wrote to memory of 2604	2432	cmd.exe	42
PID 2432 wrote to memory of 2764	2432	cmd.exe	43
PID 2432 wrote to memory of 2764	2432	cmd.exe	43
PID 2432 wrote to memory of 2764	2432	cmd.exe	43
PID 2432 wrote to memory of 2764	2432	cmd.exe	43
PID 2432 wrote to memory of 2936	2432	cmd.exe	44

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2884	attrib.exe
2664	attrib.exe
1260	attrib.exe
940	attrib.exe
804	Process not Found
2820	Process not Found
3036	attrib.exe
1536	Process not Found
1012	Process not Found
1292	Process not Found
1332	Process not Found
2876	Process not Found
3064	Process not Found
2864	attrib.exe
1736	Process not Found
2652	Process not Found
1584	Process not Found
2552	Process not Found
2240	attrib.exe
1808	attrib.exe
2032	attrib.exe
1788	attrib.exe
2636	Process not Found
2864	Process not Found
1036	Process not Found
1240	attrib.exe
2360	Process not Found
2792	Process not Found
748	Process not Found
1160	Process not Found
2600	Process not Found
436	Process not Found
1968	Process not Found
528	Process not Found
2712	attrib.exe
2340	attrib.exe
2520	attrib.exe
2596	attrib.exe
2600	attrib.exe
2504	attrib.exe
1832	Process not Found
2748	Process not Found
1204	Process not Found
2548	Process not Found
1128	Process not Found
1980	attrib.exe
840	attrib.exe
2252	Process not Found
832	Process not Found
240	Process not Found
2860	attrib.exe
2628	attrib.exe
2440	attrib.exe
2832	Process not Found
272	attrib.exe
3004	Process not Found
2704	Process not Found
1988	Process not Found
2316	Process not Found
2032	attrib.exe
1604	attrib.exe
400	attrib.exe
1168	Process not Found
1380	Process not Found

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\78b0425ec1fdffb50dca8c3e49c045f7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\78b0425ec1fdffb50dca8c3e49c045f7.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DeleteFileDos.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2620
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:820
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2904
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:1980
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2168
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2236
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2456
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1204
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2312
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1500
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:912
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1372
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1360
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2340
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2516
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2712
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3056
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2904
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:932
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:3036
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1572
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1852
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1264
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1408
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2332
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1500
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:1240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2200
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1372
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:1744
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1360
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:972
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:896
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3056
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:932
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1572
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1852
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1264
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:1528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1204
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2300
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2512
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:912
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1132
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1088
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2340
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:272
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2080
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:928
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:488
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2228
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:600
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:1592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3056
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:1808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:932
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2236
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1852
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2456
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1408
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2332
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2300
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2512
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2440
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1132
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1360
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2320
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2340
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:272
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2080
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:1788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2520
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2228
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2680
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2600
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2236
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1668
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:748
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1344
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1264
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:1604
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1204
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1500
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:912
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:1260
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2200
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:1052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1372
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:1088
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:972
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:896
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:328
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:928
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:488
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:1560
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2792
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2504
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2236
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "c:\windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DeleteFileDos.bat

Filesize
176B

MD5
495949363519ab9378e10fe2160347bd

SHA1
d2465edee504606570cd701e5e1b4fc39143f56f

SHA256
2a640bbdf706988a1885dad9c274d3c054fa49761a242febe87a69c673da3481

SHA512
420186d034501dc6ad25724bd1d60ac6ac9c0f7a09a64b37df324ac19d678c3770a21474ba3fa13b74db1f04ed0133caa05336431f7bfa4bc404bb7b54a4ef8e

Download Submit