32d33f015a41bee4ccc5cc203c673600eda9f82bbda8b64177ee42ca868735f7

Analysis

max time kernel
63s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3e044fe4699ca1d795eb0cc04f45c62.exe
Size

88KB
MD5

a3e044fe4699ca1d795eb0cc04f45c62
SHA1

48600f2e735e9e9436e88eeaff9da11c34d3a873
SHA256

32d33f015a41bee4ccc5cc203c673600eda9f82bbda8b64177ee42ca868735f7
SHA512

1f107ea560a3ff843ba68a29630365446a4ba7e0628b7b079f755fece2d394c617869bfaa3236810ad65f4744029c8f1df97c8893c7d159be3840c956fe33c7d
SSDEEP

768:7OtyZn2mNa9nVYnvKYxiZBHzQQpIaRCl37ewEPpgkXQhyxH:2yOVYvKUuBTPvCl37ewQgE3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3792	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
3052	avzxdst.exe
2456	avzxdst.exe
2800	avzxdst.exe
1612	avzxdst.exe
1144	avzxdst.exe
2668	avzxdst.exe
1640	avzxdst.exe
2056	avzxdst.exe
1608	avzxdst.exe
2024	avzxdst.exe
2028	avzxdst.exe
668	avzxdst.exe
2172	avzxdst.exe
2920	avzxdst.exe
2264	avzxdst.exe
2708	avzxdst.exe
2628	avzxdst.exe
1564	avzxdst.exe
2780	avzxdst.exe
896	avzxdst.exe
608	avzxdst.exe
552	avzxdst.exe
1424	avzxdst.exe
548	avzxdst.exe
1296	avzxdst.exe
2332	avzxdst.exe
612	avzxdst.exe
1700	avzxdst.exe
2624	avzxdst.exe
2736	avzxdst.exe
2956	avzxdst.exe
452	avzxdst.exe
2772	avzxdst.exe
1656	avzxdst.exe
3092	avzxdst.exe
3720	avzxdst.exe
1256	avzxdst.exe
3340	avzxdst.exe
1016	Process not Found
3788	Process not Found
3412	Process not Found
1428	Process not Found
3964	Process not Found
3500	Process not Found
2724	Process not Found
1600	Process not Found
1536	Process not Found
3888	Process not Found
3768	Process not Found
3084	Process not Found
3688	Process not Found
3080	Process not Found
3616	Process not Found
3172	Process not Found
3100	Process not Found
2556	Process not Found
2568	Process not Found
3312	Process not Found
2024	Process not Found
776	Process not Found
3448	Process not Found
4640	Process not Found
2652	Process not Found
4572	Process not Found

Loads dropped DLL 64 IoCs

pid	Process
1652	a3e044fe4699ca1d795eb0cc04f45c62.exe
1652	a3e044fe4699ca1d795eb0cc04f45c62.exe
3052	avzxdst.exe
3052	avzxdst.exe
2456	avzxdst.exe
2456	avzxdst.exe
2800	avzxdst.exe
2800	avzxdst.exe
1612	avzxdst.exe
1612	avzxdst.exe
1144	avzxdst.exe
1144	avzxdst.exe
2668	avzxdst.exe
2668	avzxdst.exe
1640	avzxdst.exe
1640	avzxdst.exe
2056	avzxdst.exe
2056	avzxdst.exe
1608	avzxdst.exe
1608	avzxdst.exe
2024	avzxdst.exe
2024	avzxdst.exe
2028	avzxdst.exe
2028	avzxdst.exe
668	avzxdst.exe
668	avzxdst.exe
2172	avzxdst.exe
2172	avzxdst.exe
2920	avzxdst.exe
2920	avzxdst.exe
2264	avzxdst.exe
2264	avzxdst.exe
2708	avzxdst.exe
2708	avzxdst.exe
2628	avzxdst.exe
2628	avzxdst.exe
1564	avzxdst.exe
1564	avzxdst.exe
2780	avzxdst.exe
2780	avzxdst.exe
896	avzxdst.exe
896	avzxdst.exe
608	avzxdst.exe
608	avzxdst.exe
552	avzxdst.exe
552	avzxdst.exe
1424	avzxdst.exe
1424	avzxdst.exe
548	avzxdst.exe
548	avzxdst.exe
1296	avzxdst.exe
1296	avzxdst.exe
2332	avzxdst.exe
2332	avzxdst.exe
612	avzxdst.exe
612	avzxdst.exe
1700	avzxdst.exe
1700	avzxdst.exe
2624	avzxdst.exe
2624	avzxdst.exe
2736	avzxdst.exe
2736	avzxdst.exe
2956	avzxdst.exe
2956	avzxdst.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdmn.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\avzxcmn.dll	avzxdst.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxain.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxain.dll	avzxdst.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxcmn.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\avzxdst.exe	Process not Found

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	a3e044fe4699ca1d795eb0cc04f45c62.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe
File opened for modification	C:\Windows\Fonts\mszhasd.fon	avzxdst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	avzxdst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	a3e044fe4699ca1d795eb0cc04f45c62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	avzxdst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	avzxdst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	avzxdst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	avzxdst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	avzxdst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	avzxdst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	avzxdst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}	a3e044fe4699ca1d795eb0cc04f45c62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	avzxdst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	avzxdst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ThreadingModel = "Apartment"	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	avzxdst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32	avzxdst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}\InprocServer32\ = "C:\\Windows\\SysWow64\\avzxdmn.dll"	avzxdst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1652	a3e044fe4699ca1d795eb0cc04f45c62.exe
3052	avzxdst.exe
2456	avzxdst.exe
2800	avzxdst.exe
1612	avzxdst.exe
1144	avzxdst.exe
2668	avzxdst.exe
1640	avzxdst.exe
2056	avzxdst.exe
1608	avzxdst.exe
2024	avzxdst.exe
2028	avzxdst.exe
668	avzxdst.exe
2172	avzxdst.exe
2920	avzxdst.exe
2264	avzxdst.exe
2708	avzxdst.exe
2628	avzxdst.exe
1564	avzxdst.exe
2780	avzxdst.exe
896	avzxdst.exe
608	avzxdst.exe
552	avzxdst.exe
1424	avzxdst.exe
1424	avzxdst.exe
548	avzxdst.exe
548	avzxdst.exe
1296	avzxdst.exe
1296	avzxdst.exe
2332	avzxdst.exe
2332	avzxdst.exe
2332	avzxdst.exe
612	avzxdst.exe
612	avzxdst.exe
612	avzxdst.exe
1700	avzxdst.exe
1700	avzxdst.exe
1700	avzxdst.exe
2624	avzxdst.exe
2624	avzxdst.exe
2736	avzxdst.exe
2736	avzxdst.exe
2956	avzxdst.exe
2956	avzxdst.exe
2956	avzxdst.exe
452	avzxdst.exe
452	avzxdst.exe
452	avzxdst.exe
2772	avzxdst.exe
2772	avzxdst.exe
2772	avzxdst.exe
1656	avzxdst.exe
1656	avzxdst.exe
1656	avzxdst.exe
1656	avzxdst.exe
3092	avzxdst.exe
3092	avzxdst.exe
3092	avzxdst.exe
3720	avzxdst.exe
3720	avzxdst.exe
3720	avzxdst.exe
3720	avzxdst.exe
1256	avzxdst.exe
1256	avzxdst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2160	1652	a3e044fe4699ca1d795eb0cc04f45c62.exe	28
PID 1652 wrote to memory of 2160	1652	a3e044fe4699ca1d795eb0cc04f45c62.exe	28
PID 1652 wrote to memory of 2160	1652	a3e044fe4699ca1d795eb0cc04f45c62.exe	28
PID 1652 wrote to memory of 2160	1652	a3e044fe4699ca1d795eb0cc04f45c62.exe	28
PID 1652 wrote to memory of 3052	1652	a3e044fe4699ca1d795eb0cc04f45c62.exe	30
PID 1652 wrote to memory of 3052	1652	a3e044fe4699ca1d795eb0cc04f45c62.exe	30
PID 1652 wrote to memory of 3052	1652	a3e044fe4699ca1d795eb0cc04f45c62.exe	30
PID 1652 wrote to memory of 3052	1652	a3e044fe4699ca1d795eb0cc04f45c62.exe	30
PID 2160 wrote to memory of 2576	2160	cmd.exe	31
PID 2160 wrote to memory of 2576	2160	cmd.exe	31
PID 2160 wrote to memory of 2576	2160	cmd.exe	31
PID 2160 wrote to memory of 2576	2160	cmd.exe	31
PID 2160 wrote to memory of 2704	2160	cmd.exe	32
PID 2160 wrote to memory of 2704	2160	cmd.exe	32
PID 2160 wrote to memory of 2704	2160	cmd.exe	32
PID 2160 wrote to memory of 2704	2160	cmd.exe	32
PID 2160 wrote to memory of 2688	2160	cmd.exe	33
PID 2160 wrote to memory of 2688	2160	cmd.exe	33
PID 2160 wrote to memory of 2688	2160	cmd.exe	33
PID 2160 wrote to memory of 2688	2160	cmd.exe	33
PID 3052 wrote to memory of 2720	3052	avzxdst.exe	34
PID 3052 wrote to memory of 2720	3052	avzxdst.exe	34
PID 3052 wrote to memory of 2720	3052	avzxdst.exe	34
PID 3052 wrote to memory of 2720	3052	avzxdst.exe	34
PID 2160 wrote to memory of 1236	2160	cmd.exe	35
PID 2160 wrote to memory of 1236	2160	cmd.exe	35
PID 2160 wrote to memory of 1236	2160	cmd.exe	35
PID 2160 wrote to memory of 1236	2160	cmd.exe	35
PID 2160 wrote to memory of 2564	2160	cmd.exe	37
PID 2160 wrote to memory of 2564	2160	cmd.exe	37
PID 2160 wrote to memory of 2564	2160	cmd.exe	37
PID 2160 wrote to memory of 2564	2160	cmd.exe	37
PID 2160 wrote to memory of 2480	2160	cmd.exe	39
PID 2160 wrote to memory of 2480	2160	cmd.exe	39
PID 2160 wrote to memory of 2480	2160	cmd.exe	39
PID 2160 wrote to memory of 2480	2160	cmd.exe	39
PID 2720 wrote to memory of 2640	2720	cmd.exe	38
PID 2720 wrote to memory of 2640	2720	cmd.exe	38
PID 2720 wrote to memory of 2640	2720	cmd.exe	38
PID 2720 wrote to memory of 2640	2720	cmd.exe	38
PID 2160 wrote to memory of 2472	2160	cmd.exe	40
PID 2160 wrote to memory of 2472	2160	cmd.exe	40
PID 2160 wrote to memory of 2472	2160	cmd.exe	40
PID 2160 wrote to memory of 2472	2160	cmd.exe	40
PID 2720 wrote to memory of 2812	2720	cmd.exe	41
PID 2720 wrote to memory of 2812	2720	cmd.exe	41
PID 2720 wrote to memory of 2812	2720	cmd.exe	41
PID 2720 wrote to memory of 2812	2720	cmd.exe	41
PID 2160 wrote to memory of 2736	2160	cmd.exe	42
PID 2160 wrote to memory of 2736	2160	cmd.exe	42
PID 2160 wrote to memory of 2736	2160	cmd.exe	42
PID 2160 wrote to memory of 2736	2160	cmd.exe	42
PID 2720 wrote to memory of 2584	2720	cmd.exe	43
PID 2720 wrote to memory of 2584	2720	cmd.exe	43
PID 2720 wrote to memory of 2584	2720	cmd.exe	43
PID 2720 wrote to memory of 2584	2720	cmd.exe	43
PID 2160 wrote to memory of 2612	2160	cmd.exe	44
PID 2160 wrote to memory of 2612	2160	cmd.exe	44
PID 2160 wrote to memory of 2612	2160	cmd.exe	44
PID 2160 wrote to memory of 2612	2160	cmd.exe	44
PID 3052 wrote to memory of 2456	3052	avzxdst.exe	45
PID 3052 wrote to memory of 2456	3052	avzxdst.exe	45
PID 3052 wrote to memory of 2456	3052	avzxdst.exe	45
PID 3052 wrote to memory of 2456	3052	avzxdst.exe	45

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2104	Process not Found
2916	Process not Found
3792	Process not Found
3172	Process not Found
1952	Process not Found
3844	Process not Found
1492	Process not Found
5260	Process not Found
7744	Process not Found
6676	Process not Found
5444	Process not Found
3732	Process not Found
3680	Process not Found
4660	Process not Found
4520	Process not Found
2088	attrib.exe
4528	Process not Found
2980	Process not Found
5912	Process not Found
7060	Process not Found
4900	Process not Found
5544	Process not Found
6948	Process not Found
5488	Process not Found
6272	Process not Found
1868	Process not Found
1980	Process not Found
5752	Process not Found
5724	Process not Found
2296	attrib.exe
3816	Process not Found
6816	Process not Found
4508	Process not Found
3200	Process not Found
1028	Process not Found
3464	Process not Found
5052	Process not Found
6056	Process not Found
6924	Process not Found
4428	Process not Found
7108	Process not Found
3920	Process not Found
1016	Process not Found
6688	Process not Found
6532	Process not Found
1344	attrib.exe
1864	Process not Found
6128	Process not Found
6004	Process not Found
6804	Process not Found
6200	Process not Found
188	Process not Found
4208	Process not Found
2236	Process not Found
6040	Process not Found
4508	Process not Found
6180	Process not Found
3208	Process not Found
3872	Process not Found
7380	Process not Found
2616	Process not Found
7952	Process not Found
1280	attrib.exe
1820	Process not Found

C:\Users\Admin\AppData\Local\Temp\a3e044fe4699ca1d795eb0cc04f45c62.exe
"C:\Users\Admin\AppData\Local\Temp\a3e044fe4699ca1d795eb0cc04f45c62.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259399476.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:356
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:540
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:552
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:1344
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:692
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:1300
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:980
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:848
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:760
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:584
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:2088
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3640
- C:\Windows\SysWOW64\avzxdst.exe
  C:\Windows\system32\avzxdst.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259399694.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:348
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:2952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2304
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2380
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2272
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:656
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2680
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1120
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3180
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3784
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3308
- - C:\Windows\SysWOW64\avzxdst.exe
    C:\Windows\system32\avzxdst.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2456
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\DFD259399897.bat
      4⤵
      PID:2792
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:760
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2328
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:288
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1188
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1380
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:800
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2088
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2100
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:584
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1312
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1336
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1332
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1796
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:284
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1996
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2580
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2444
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:884
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1296
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1252
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:772
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1344
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2684
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1028
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:656
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1252
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1120
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:656
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2236
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:312
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:976
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:868
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3736
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4072
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3188
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3884
  - - C:\Windows\SysWOW64\avzxdst.exe
      C:\Windows\system32\avzxdst.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400100.bat
        5⤵
        
        PID:2068
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1252
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1620
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2176
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1824
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2280
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1504
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:976
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2248
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2736
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1512
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1816
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2296
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:772
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1280
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2552
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2596
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2332
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1308
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:696
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1272
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1568
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2624
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1840
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2272
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2912
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2500
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2320
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1772
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:748
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2552
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1296
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2624
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1624
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2128
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2188
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1336
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2272
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2724
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:656
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1464
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2840
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1512
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:828
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3148
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3808
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2996
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1492
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400303.bat
        6⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3856
      - C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400506.bat
        7⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400755.bat
        8⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400974.bat
        9⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259401192.bat
        10⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259401379.bat
        11⤵
        
        PID:604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259401629.bat
        12⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259401941.bat
        13⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259402206.bat
        14⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259402409.bat
        15⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259402783.bat
        16⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259403251.bat
        17⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        Views/modifies file attributes
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259403438.bat
        18⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259403641.bat
        19⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259403844.bat
        20⤵
        
        PID:564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259404031.bat
        21⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259404234.bat
        22⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259404686.bat
        23⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259405045.bat
        24⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        Views/modifies file attributes
        
        PID:1280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259405451.bat
        25⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259405669.bat
        26⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259405872.bat
        27⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259406246.bat
        28⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259406434.bat
        29⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259406636.bat
        30⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259406839.bat
        31⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259407354.bat
        32⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259408040.bat
        33⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259408789.bat
        34⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259409616.bat
        35⤵
        
        PID:348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259410396.bat
        36⤵
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259410661.bat
        37⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259411426.bat
        38⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259412003.bat
        39⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\avzxdst.exe
        
        C:\Windows\system32\avzxdst.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259412861.bat
        40⤵
        
        PID:3824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1474085733172936795-1595686064694344971-3138511018342854483123829311250994137"
1⤵
PID:1856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-108216680510037797041410599961-903457031-2019923894-1251807988-1628972772699629554"
1⤵
PID:824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6498434041261553646-153496945211295444451353925317-6600764836156525861364666414"
1⤵
PID:884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-830560844-351847157-2130118119-4343735981842460949-960205995-576955647-1819307545"
1⤵
PID:1712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1867021829-38653835-1244392354568704816-190616391591448071-49984948348546187"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-434604072-8696832231243159342-587404286329598338-1257405720635849951260073849"
1⤵
PID:1816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "736435328-1057172074-3785145072078219388-194377440-1222248647414833657-1965511023"
1⤵
PID:2268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1090711660-2051545162212151959918902643891047285853-94094509858430126664296574"
1⤵
PID:800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "256798179-2475414336908830942027810574-1491480629-39419747621099043031719474787"
1⤵
PID:1828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1336232309-1034872602-2095083474-1131701146143078485731501249219078089841908340382"
1⤵
PID:2572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14839375161313675303-19058649651921217019-20094641232005004073-374430809164765470"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "124320727439938662914574613117217930458515027-1070328144-1827846236-1020109261"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19343140-2139997145909722228757134529-930880350296280801-1879139422-413616352"
1⤵
PID:300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8697556881591497535-934179042404960803585962181652479876-999785027-1306830835"
1⤵
PID:2912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1659846167-840327677-1426331390570026411-104056937115861416167744350991005602131"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-60974485113476816601810634015894235497-6786175011777698515-2843786381649876543"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1493175638659324371274042974-2075433000-11669092381778862104-599498128-1119165039"
1⤵
PID:2280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-617793569-42375066411892606969447763-1419075546836131441-1505953907-867877857"
1⤵
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DFD259399476.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD259430161.bat

Filesize
290B

MD5
2518ea22beb90cb3c7f855e05e14544a

SHA1
d0af0f4b2692b4e56a3c1b9951b4ad66cffa072e

SHA256
74fa422c828221c7870ad315e9148d24bfe7f5cd36951bef27c67a29ec7af864

SHA512
c2480768ab9546ccd2021744d371e18d972254d44fb22fec8ce0d02ca916d21340d6d974931230b1fe8a2c0419a2d3ffae983daf454d9a2d588dd9837e22a559

Download Submit
C:\DFD259430614.bat

Filesize
173B

MD5
7aa32ef8b94552e4cb0cbf2c1c539862

SHA1
7311463d716e10107801b2d7b5ea08ab1819e96c

SHA256
1aa8198a68c0ef8f6b85f05a3c1ba6e593fbf68a1a07404e2183df94e0931c17

SHA512
0ff50b9c0def7aa53a84d9ae6d32456d5a4322691b0e938112e053c8078dd251bf450ff36691972d323e96b18b8c965f036e85837213f56b9f4fbba32874f427

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
2KB

MD5
d5b3d6ed1bf1c673260deffe28dc475d

SHA1
daf3b28e9c266025dd34c89adb3c5a3f708513d7

SHA256
48bd0510abe2f5c9254a22f2c1acf1fb2381fc0730c6b2d54979099d855af95c

SHA512
b35e2bd29222b0a22a2c2b944a57f66cfd12c0f593b34330b83b71aa8518c7c92272e15ff6b379eec2a742485e4a9c8e1c159be6c4e809de24232047076c7f4a

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
2KB

MD5
b74deb150fd691f88df59edbc52d460c

SHA1
43684ef78c2bb174a302650d401520372bbd82f7

SHA256
98e3941c7f446748257adf2b313c1824de58a20690b0da29e8754b377dd04008

SHA512
017e44fa3ec23921129b5bdfde9361146f971af4588a3a1f9ed8a7fc2a963b00b4c83e89206548a1bb51a74e7218e89aebee03b75066cd88ef20bc93d01326a7

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
413B

MD5
6d2bd9e71a2f7657f76331d20128d33b

SHA1
291a4be0231f66ee3bf36a4300e1c551aa528c60

SHA256
6566f0631869d04081b284f848fdd0bda1bc17e0949d9c18f5aac3343e9f0c8d

SHA512
aa92c7a81f057aedd845a6b2726472c5c81de9c47f335c576fa2b4aa4841967254f1f8fc24fc8feaf17612c22dec7f617bfdf0b3cdfc842a60e5efa1bcb899fc

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
2KB

MD5
4d7f64ce3b0d58da3ddfd6317c986522

SHA1
81f47eb663bad08dd374fc891f01974f170f3bd0

SHA256
e990a45fca9fefc91ac334eb108bffd7f8df35b2f91791b4e071ebc6a9c2b589

SHA512
25a45dc553b62944d5ae9a0ed6de5d9b30516ba30c193a5f67157b8861529972c57768ebd9d65727ae999b119cbb0b30d0495057e89e029a75197e1e0e939298

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
2KB

MD5
0545a88e95b61e013958f482af026921

SHA1
1eda2bb05fa40bb24dcf9f13db5ad484c602396d

SHA256
af6b988028438a8e1760e700d1eac7cc4be413ca840d94793284605982e730a4

SHA512
ac19a8b497d25c6135b84fd23bbd454a14b0aae19e76e096609ad5b606b7bdb8bb494dd16b8b60f529fdb840b0397b486d9c90093d63324e1343c316f1c02af8

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
2KB

MD5
1ea7b28677d339b9bde7e17931ff3c6d

SHA1
13a74aeebdca35c887f5721bd34bbdb0524829f4

SHA256
9c2e0341971c0b9f94460c3cd5fb46d9a55e84b432d897be630c9abb13dc10c1

SHA512
b3a269907047fe868f56e218172fdc8d6ca0780378e75160ba7a33a0d923e4418178697231a511cbbba12233b1a13256739ca7568b2dfc31ffbedc0b5be80055

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
2KB

MD5
89918d6e0374b4b7209d89f07b078265

SHA1
4ca7f68436c8c85d59c7d808d1e92415bc5c69cb

SHA256
9aeabc5dc49dc5899b3ca1e3f1d7f96fed2807c023ec41f198bb2c37e8a62271

SHA512
999d384130d6c4ffead70a07718c1f511654701235fa57e5a9d331155a755db7fe833479b0c8f08b06964fd023380911ff038c685294b577eba41c9a9eb89827

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
2KB

MD5
17e6310c12fea05155d108ce38cf4302

SHA1
0ede8098c55fa6109f68b07df31ab70f52c3def2

SHA256
fbb040b0c3178de855d137e8e6a7c80c32c2757cec112564d4c200524b461741

SHA512
d0789b7095384333a167890c42a94ff43b9b4c0edd795f54f0e579f024eb719de412723f13caa56cb97de71ddfa0cb68d6e0aedaac3c9e4d9117ef047ace4802

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
494B

MD5
79cbf78b44fc77b1d97feb785a81e08f

SHA1
37d18ec7ed2614399eb60db940a52664fdb3c6e2

SHA256
4b04c43b542d508afc23726b1cb52b55501767868c6fe5eea0189f2407f93190

SHA512
02182d5e8bfe750ddd18a09d22fd949d53806dd7cc48f2abdff3472cf5db3440c83b07840df0c19576601a6a0152b5759139e28e2827b78a5a54ab61fbdd1971

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
575B

MD5
c723e5733aa84c80c9771de9a7856980

SHA1
f1ec08f3512ce752c539eff4d1a3ec378c0a01f2

SHA256
5000f3e1848f52d2acd92b456281808b15c76003f9fbbf4c97d70427dd94e493

SHA512
8ad27ea09a5e0a0f502a09e52ffad87b17ce7390aa9c2664201a005993fc6d9c1b04e1197a455d6e922b107413f76b9829e928cd6a6bcf01bc5449e9a5e27f9a

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
656B

MD5
d8e927e56fc914419a19d925d8f442d2

SHA1
e12d3f026603e5c03f4084c4f7f8f0a49cb22d08

SHA256
362801252f6a689134ad57f7b6047368f84fe934b5e9cc09a7171de65fd0599e

SHA512
14c74b3db012e5920696fa25a809cfc05b00431ffc1fe2f6bf46696c8941b47553032cec614bdb82c4b68d810cadb36edcbd1debe925864d52ede12b9ed7d9a3

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
737B

MD5
70be31ffc6819e1e1ff922740cf95737

SHA1
93013b4cf596f6961372026c53f0dc6113be1bbf

SHA256
d86d6b59101bba8443210d31359ab5753b8cfea47602d456e8613214a2a4fe3f

SHA512
32a950387c67b3b7fa0a16bc0b0cde1ea6d6c21ffbcbb37078b89159de8d05164419bd43a86749b9601f4bbdd3536ca7607ec6a08d1c3c598446197a143332b3

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
819B

MD5
696156c4c621b531229a60985adaa0b7

SHA1
c788a5022ce0a9ae83bc99a798a677e9554d2118

SHA256
d1090427bb0ee0b7e336777dd0eb14f4ea3c97e1231f62f517f4b83b76192be7

SHA512
77d531b7631865312c5e56ed96f9c13919a53e7459bfbf91266139f6ed09f5a09d7f53e7544b9cfdfdcc37ab59fd1007758a16abeb0adfd9cd76e0e5f29ab9ef

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
901B

MD5
3c8d6776aa158e569e0b59e53d88699d

SHA1
9f69f6d4f7e676cb1fa7b85fa5976e298461fad5

SHA256
20cfad70d5250237b8d76acf0eb6a7760c470ef0eed6b651d1617c0008ba7899

SHA512
40b2c45d75ff38df19a6e6236c4dbef541eab3fb91e74542788c2ed40cccd9cce4145d87c97d96b9249389b474b806f238b5d5d2083912b522ac14b467a7db9d

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
983B

MD5
8ef36a403465bf8e95de797d1faf437d

SHA1
1528516530c465ed65530e6898e3da9e980c6982

SHA256
a2e4fd22ce4906fa405993548426b6bdafd49a5a6aebbf3abad357deab0ff26b

SHA512
47ba31fefcdb3a1486f1b8269147ec0696820c2784aaecfa6fa832567e97468c1273eb3b1e050d35feccfb900e46a4feb33b5d6c4546293921d7e6582d5816b7

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
170B

MD5
b290a9b317c5e459a67081ee91df92be

SHA1
6a2ad5fcb6da4e092a675aceaab04743b9d26536

SHA256
f47f20e15298fd958a9d39eedd98f2beafff430c5c7a20ae4cc3da4edb988ae5

SHA512
842998c393b8c66de44f8b52e98670783b4034e092795d076075d7e0cc24c49f622e67af2b92ff41c484d5da7ff162a3e6c947bc97ca8e2a72be86fbebca60b6

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
1KB

MD5
80b9dcbb062c6124c904de090b898a8b

SHA1
9dfb16891c2b9fb9e8a4c5384e54d7f3692252a7

SHA256
104318c3cc08c5b3ef9f44b707bb8cd663815f404c4243d132256a0eb88ee784

SHA512
78483a0d0c89ced786fefc79d7da59d33ffa019b9bbe93716633e1f4ce3703dfdcea199977bf97bd6f56a203f3230c90f22fa1dcddf2cd9dde89c8b913e275d9

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
1KB

MD5
c65f6f8bd7ac8f3b35d8a219cc97749d

SHA1
8f75e39679751e7d14c9623951fdc391f2509c0a

SHA256
5f71cb1e82bdeea41f393acb41e22c11711b66fe7e60040d7929d8fb038a656a

SHA512
790863bd21b582ac5774d463b0ffe460b615031b557f5d45b9963786efc2f1d122c03280dc632b53a6da81dced06f93fc314afa6c7ff1dd154adc81b2acba164

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
1KB

MD5
24f1ed72a017e15cfa28a04a83cceb3e

SHA1
33f484d36b040017576f40180d66873a0a1e7eb2

SHA256
8fd6d3ab87722c6d89cf0031482d954483ce5a7a212a965c863570ec1cda7619

SHA512
1085ff31cad701a8bc55f8eac843286bd46f59567822b59bc85fad5b35499346657367d2b958e5516f919342cf3cad9c4ce91f6a001bb23cf48d3a079f079f40

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
1KB

MD5
64aa5f62b6b71e0ca6f0f06f0cc572a0

SHA1
21a71ab35a6aba9409375930d0c1cbd0c1522b9f

SHA256
88a6e05fac984a22b5f6bc1753c9c7eee49abab5434f9c8483307b43788e7686

SHA512
2b28fcaa9db91f1b81f828fd23031ba36a7d05711be782a4c030f5e91930d1860f990341d1469e3316cfa3316e2702f006972ce09a4bbd87951b519e96df6860

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
1KB

MD5
dcaadaa22fe754830fc4d9280c0c7b51

SHA1
b9c72420a331b93bc2d4950cebf7722c388cde1a

SHA256
42fbf4b4c57f7c2881eb07baa1842c48ff223e965025462f5bb558c6c8d9dbee

SHA512
a53daf7d37faa88874222b208b9147770213e0df1ce87fdc5acd76e37801d140e229a0564a4c5e0d337fca2f82d8888ec2d2320674128292c03e381efce95bf8

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
251B

MD5
e3af5214b4301f262f7954a283e26c58

SHA1
c7410a6f0f2515774da94d57fe6db91cd0400b7d

SHA256
6f1729dd0cd14a6a6c72136b1a2361af00c594d8c86f04a7e953c2de3518b30c

SHA512
b01c302e7d6eb3626aaca2911927bba885bc48cea277171f16d33e069e98b6f649eeb94bc8d510990e83d750553de5dfd92aff7f46d098b70a39a17f5a70beb5

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
1KB

MD5
f110af8b998ec01e7d9be373bf16854d

SHA1
51e8b5298f216084e6b635cff1325b6bb3ba079d

SHA256
d0b4b61ef6ae7638d2be4c6dc1c2d27ec3ae6f96fb270ee9a4116a8858ba14ac

SHA512
8cfa2281a19c25138fbdf2408351371a5ae53c205e8adf263774e17bcf93304488275ad120936b7c94801ef66452322aadf4db928b1da8e842470107743b3135

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
1KB

MD5
30bcfbbd5cb692bde7ffcdbf0b8acdb7

SHA1
4949e47447340b8310379046db11137c0c54d805

SHA256
c5bc19c7cd8485f275f0e09f2d2f4688fcb8805a12d427ef30732694ce59b5c0

SHA512
5d95d3f0f098b6098bdccd6ea2cfb60909bab34465115efb7d752ad708581ecfc12fbcf764cf5d0aa4b067064f84677fc5242c5e1c6e75a5dfe1d2d0a2a14641

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
1KB

MD5
a27f533aef12b25430df0f77a575e864

SHA1
429aebcf61ef9ed6c310b8af22841905a93a845d

SHA256
0d8e86845b447c2d1fc9d9f026c720eff796a9731544c59f4deef3c626d76538

SHA512
d32807054a3f3f7e283f8efb78d643bb4e257d90fd8adb539cdab082e49ba777342ce5da7c153e85554c1112d8f634f86e493364c8e5126c60efdde0296165fc

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
1KB

MD5
9806ad8c631e28a2af5b8758db3c0407

SHA1
e48fe540608cc1c990360a8afad91f90f92b870e

SHA256
885e9d4f071f45dd492687d64b3d9005951daeea606f5e8788164fc1aeb9d648

SHA512
4e09c727e904d8bd7d2103aa2a78c5456c46ab9976bd1298d3ad080c7dd4d1618f17f4ad4d4e2db51445754c2bb26ea136aed260e29c1d33a9b2e1816258d7ba

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
1KB

MD5
a5a08745b3496b1ad5e7d4b4e1e34e93

SHA1
3edbeb9de23579289aba05c87b4ac1d178f78714

SHA256
8c96eff2aa82284f0ee128416aa49a6993eb892b9bdbc5d324466f6f3814fe2d

SHA512
9eb32bc63c05d344d522836071572d17414334b143c3eda6d9c829c366be3c80228c99beed61bf5d34595c84c78fabaf0b70d09bdc12f95f5623cf85b56774ca

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
332B

MD5
5b0df2522aeb69e3110a04eeb744cb73

SHA1
db97f7fc1b04c12c6f688e5942f8a0dc4eddab78

SHA256
469f0fe4b58c01e855c6d416128fe350825f3b335e8a617ca8e6e7d09ca8bd18

SHA512
8c66d5da98b8b47516a9955ef1572857105f5d5c8e78616bb85824df581a103f703e99a40a36e12e717cc43c51dba99ecfbcd5364711c1bf2351be63ec679c7f

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
1KB

MD5
e6fa81a897f897dd1e3221b6358fee76

SHA1
e9cd5d56483257c87ccadcb66b14b42420d1b198

SHA256
3e4a348da515a2c55c69a27aaec451bdeda9c038303a417475deb72db7304f1a

SHA512
1fbbfef3da8afecd38a94e7fd7ece6381d43ebeb35d941c1da8711739ab77e403b423608cde7d190ea1042844460e8d59c8166783a5f91ca4ed5531074e03171

Download Submit
C:\Windows\Fonts\mszhasd.fon

Filesize
1KB

MD5
125556804d328f9d0e05fc1101766656

SHA1
270758be2cca66b3aa7dbc98a0fa18078dd0cedd

SHA256
d3cd2bdc1d02a71a7ab29017b87224c2cd79d6a177afe2a948d0101395e017f0

SHA512
5b4d2c2b90330d7be7b3dde3c823fc26b2bb0c1f1a6c702d9db9587c1811b2376f389c3ae02613eeb500ddd7e8e94fd4ab5f643f5d2ab875a3d73834fd98013e

Download Submit
C:\Windows\SysWOW64\avzxain.dll

Filesize
51B

MD5
8b3acee835fc1f84de9276594c562e65

SHA1
775307c97a23d9ff6a1420cf7fe203df158dcd43

SHA256
89e42607abb0c86c3ef80b9f1d615e150e0c0065d7110b20030f03347ff7b54d

SHA512
30977abb7f47102f0d25e0c03e55b16cce51fd27b44d197214dcc427b7ae5fb98015baa1d28f9a538748ef164c7ca0eb8abad3bde6ca3704a1510dc05a62d050

Download Submit
C:\Windows\SysWOW64\avzxdmn.dll

Filesize
22KB

MD5
d2e92de976467b5f442e633463a7f064

SHA1
aa55f29643fad27af73a56f4f15fafaa8b86bf80

SHA256
1191e5b18c3ca20267a8faa140e98fc51c71d7d01637669f7238ca61e241874a

SHA512
3144617f0b5821d7ae52579c3eae5ccabfe3a82929869a17248fe20fb9a7e1a35712be9d4f931e0195dbc89d4377fbb299db5f3dfc62530b3f1603ce34fb1521

Download Submit
C:\Windows\SysWOW64\avzxdst.exe

Filesize
88KB

MD5
a3e044fe4699ca1d795eb0cc04f45c62

SHA1
48600f2e735e9e9436e88eeaff9da11c34d3a873

SHA256
32d33f015a41bee4ccc5cc203c673600eda9f82bbda8b64177ee42ca868735f7

SHA512
1f107ea560a3ff843ba68a29630365446a4ba7e0628b7b079f755fece2d394c617869bfaa3236810ad65f4744029c8f1df97c8893c7d159be3840c956fe33c7d

Download Submit
memory/452-2061-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/548-1086-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/612-1674-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/896-835-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1016-2610-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/1016-2141-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1144-345-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1144-161-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1256-2452-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1428-2453-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/1428-2924-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/1536-2846-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1536-2845-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1536-3238-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1536-3239-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1612-133-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1612-135-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1612-344-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1640-426-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1652-230-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1652-21-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1652-28-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1652-164-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1652-163-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1652-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1656-2139-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1700-1675-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2024-3938-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2028-614-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2056-272-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2056-471-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2056-470-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2172-720-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/2172-776-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/2456-78-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/2456-50-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2568-3705-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/2568-4229-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/2628-666-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/2628-956-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/2652-4315-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2708-564-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2780-1085-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2780-777-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2800-102-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2800-79-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2956-1596-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/3052-271-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/3052-231-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/3052-49-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/3052-47-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/3080-3704-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/3080-3240-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/3172-3937-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3172-3398-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3340-2531-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3340-2140-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3500-2611-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3500-3081-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3768-3397-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/3768-3003-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/3964-2532-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3964-3002-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4640-4230-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download