4f83bba9963a2113fed97946434bc62f2cfbd75899307c4e83a559cfa9f1e9d7

Analysis

max time kernel
54s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
Size

167KB
MD5

266ae677831f1d4c0683030811029f93
SHA1

f1611409d9cd0944c8c74276e4496ca0f6c091bf
SHA256

4f83bba9963a2113fed97946434bc62f2cfbd75899307c4e83a559cfa9f1e9d7
SHA512

a3b421560a3d01a47405b6a86e17d966921fb30eb1b8181fdcdd917f3f0d807c48cc38b9b04e3e680fdd3a715d86cc23ad7d99b1f535d1e0d146d1772405d849
SSDEEP

3072:eY7tE473pyAf5WFgh0cg+iEBf1uFZ+DOHUw2tsDCIGSO2KYSmR1:eEK63pT5qm0T+iwuj+eUxKDCRhw1

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2692	moyy.exe
2676	dsms.exe
1996	ravmsmon.exe
1584	myfins.exe
1612	myfins.exe
1496	myfins.exe
2036	myfins.exe
1828	myfins.exe
1592	myfins.exe
2252	myfins.exe
2648	myfins.exe
2996	myfins.exe
1560	dhs.exe
2816	wdwd.exe
1568	myfins.exe
356	wddins.exe
1244	myfins.exe
2028	wddins.exe
1436	myfins.exe
1660	wddins.exe
2760	myfins.exe
2788	wddins.exe
2432	myfins.exe
800	wddins.exe
916	wddins.exe
2012	myfins.exe
2496	wddins.exe
1668	xhzt.exe
2076	mhlan.exe
2492	ravztmon.exe
2988	myfins.exe
1452	wddins.exe
660	myfins.exe
2772	wddins.exe
2484	myfins.exe
1692	wddins.exe
2116	myfins.exe
1604	wddins.exe
1576	wddins.exe
1984	myfins.exe
1920	wddins.exe
1940	myfins.exe
1656	myfins.exe
2176	wddins.exe
1364	myfins.exe
900	wddins.exe
2312	myfins.exe
1932	wddins.exe
3104	myfins.exe
3200	wddins.exe
3368	myfins.exe
3432	wddins.exe
3580	myfins.exe
3808	wddins.exe
3936	myfins.exe
3976	xhjh.exe
4040	wddins.exe
1996	myfins.exe
3144	wddins.exe
3472	wddins.exe
1084	myfins.exe
680	myfins.exe
3924	wddins.exe
4012	myfins.exe

Loads dropped DLL 64 IoCs

pid	Process
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
2676	dsms.exe
2676	dsms.exe
2692	moyy.exe
2692	moyy.exe
1584	myfins.exe
1584	myfins.exe
1612	myfins.exe
1612	myfins.exe
1496	myfins.exe
1496	myfins.exe
2036	myfins.exe
2036	myfins.exe
1828	myfins.exe
1828	myfins.exe
1592	myfins.exe
1592	myfins.exe
2252	myfins.exe
2252	myfins.exe
2648	myfins.exe
2648	myfins.exe
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
2996	myfins.exe
2996	myfins.exe
2816	wdwd.exe
2816	wdwd.exe
1568	myfins.exe
1568	myfins.exe
356	wddins.exe
356	wddins.exe
1244	myfins.exe
2028	wddins.exe
1244	myfins.exe
2028	wddins.exe
1436	myfins.exe
1436	myfins.exe
1660	wddins.exe
1660	wddins.exe
2760	myfins.exe
2788	wddins.exe
2760	myfins.exe
2788	wddins.exe
2432	myfins.exe
2432	myfins.exe
800	wddins.exe
800	wddins.exe
916	wddins.exe
916	wddins.exe
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
2076	mhlan.exe
1668	xhzt.exe
2012	myfins.exe
1668	xhzt.exe
2012	myfins.exe
2496	wddins.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015d24-207.dat	upx
behavioral1/memory/1560-219-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1560-319-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/916-577-0x0000000000220000-0x0000000000237000-memory.dmp	upx
behavioral1/memory/2116-737-0x0000000000220000-0x0000000000263000-memory.dmp	upx
behavioral1/memory/2312-767-0x0000000000260000-0x00000000002A3000-memory.dmp	upx
behavioral1/files/0x0029000000015d7b-1447.dat	upx
behavioral1/memory/1560-1719-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ravmsmon = "C:\\Program Files\\NetMeeting\\ravmsmon.exe"	ravmsmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ravztmon = "C:\\Program Files\\NetMeeting\\ravztmon.exe"	ravztmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DbgHlp32 = "C:\\Windows\\DbgHlp32.exe"	dhs.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	qqmm.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\E:\AutoRun.Inf	qqmm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\wddins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\myfins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\myfins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\myfpri.dll	myfins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\myfins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\myfins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\myfins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\myfins.exe	Process not Found
File created	C:\Windows\SysWOW64\myfpri.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\wddins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wddins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\myfins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\myfpri.dll	myfins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\NetMeeting\ravmsmon.dat	ravmsmon.exe
File created	C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Jmp	qqmm.exe
File created	C:\Program Files\Internet Explorer\PLUGINS\WinSys64.Sys	qqmm.exe
File opened for modification	C:\Program Files\NetMeeting\ravmsmon.cfg	ravmsmon.exe
File created	C:\Program Files\NetMeeting\ravmsmon.exe	dsms.exe
File opened for modification	C:\Program Files\NetMeeting\ravmsmon.dat	ravmsmon.exe
File opened for modification	C:\Program Files\NetMeeting\ravztmon.exe	xhzt.exe
File created	C:\Program Files\NetMeeting\ravztmon.exe	xhzt.exe
File opened for modification	C:\Program Files\NetMeeting\ravztmon.cfg	ravztmon.exe
File opened for modification	C:\Program Files\NetMeeting\ravztmon.dat	ravztmon.exe
File created	C:\Program Files\NetMeeting\ravztmon.dat	ravztmon.exe
File opened for modification	C:\Program Files\NetMeeting\ravmsmon.exe	dsms.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\DbgHlp32.exe	dhs.exe
File opened for modification	C:\Windows\DbgHlp32.exe	dhs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
276	2076	WerFault.exe	221

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ = "C:\\Windows\\SysWow64\\myfpri.dll"	myfins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	myfins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ThreadingModel = "Apartment"	wddins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	myfins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ = "C:\\Windows\\SysWow64\\wddpri.dll"	wddins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	myfins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	myfins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32	wddins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ = "C:\\Windows\\SysWow64\\myfpri.dll"	myfins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ = "C:\\Windows\\SysWow64\\myfpri.dll"	myfins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	wdwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32	wddins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ = "C:\\Windows\\SysWow64\\wddpri.dll"	wddins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ThreadingModel = "Apartment"	wddins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ = "C:\\Windows\\SysWow64\\myfpri.dll"	myfins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ = "C:\\Windows\\SysWow64\\wddpri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ = "C:\\Windows\\SysWow64\\myfpri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ = "C:\\Windows\\SysWow64\\wddpri.dll"	wddins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	myfins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D83AD9C-3BFC-43F5-979D-2904DBC54A8E}\	qqmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ = "C:\\Windows\\SysWow64\\myfpri.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32	wddins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ = "C:\\Windows\\SysWow64\\wddpri.dll"	wddins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ = "C:\\Windows\\SysWow64\\myfpri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ = "C:\\Windows\\SysWow64\\myfpri.dll"	myfins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ = "C:\\Windows\\SysWow64\\wddpri.dll"	wddins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ThreadingModel = "Apartment"	wddins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	myfins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ = "C:\\Windows\\SysWow64\\wddpri.dll"	wddins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	myfins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ = "C:\\Windows\\SysWow64\\myfpri.dll"	myfins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32	wddins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D83AD9C-3BFC-43F5-979D-2904DBC54A8E}\InProcServer32\ThreadingModel = "Apartment"	qqmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	myfins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ThreadingModel = "Apartment"	wddins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32	wddins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ThreadingModel = "Apartment"	wddins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	myfins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	myfins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	myfins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ = "C:\\Windows\\SysWow64\\myfpri.dll"	myfins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	myfins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32\ThreadingModel = "Apartment"	myfins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6562452F-FA36-BA4F-892A-FF5FBBAC5316}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ = "C:\\Windows\\SysWow64\\wddpri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F12545B-1212-1314-5679-4512ACEF8904}\InprocServer32\ = "C:\\Windows\\SysWow64\\wddpri.dll"	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	dsms.exe
2676	dsms.exe
1996	ravmsmon.exe
1996	ravmsmon.exe
1996	ravmsmon.exe
2692	moyy.exe
1584	myfins.exe
1612	myfins.exe
1496	myfins.exe
2036	myfins.exe
1828	myfins.exe
1592	myfins.exe
2252	myfins.exe
2648	myfins.exe
2996	myfins.exe
2816	wdwd.exe
1568	myfins.exe
356	wddins.exe
1244	myfins.exe
2028	wddins.exe
1560	dhs.exe
1436	myfins.exe
1660	wddins.exe
2760	myfins.exe
2788	wddins.exe
2432	myfins.exe
800	wddins.exe
800	wddins.exe
916	wddins.exe
916	wddins.exe
1668	xhzt.exe
1668	xhzt.exe
1668	xhzt.exe
1668	xhzt.exe
2012	myfins.exe
2012	myfins.exe
2492	ravztmon.exe
2492	ravztmon.exe
2076	mhlan.exe
2076	mhlan.exe
2492	ravztmon.exe
2492	ravztmon.exe
2492	ravztmon.exe
2492	ravztmon.exe
2496	wddins.exe
2496	wddins.exe
2988	myfins.exe
2988	myfins.exe
1452	wddins.exe
1452	wddins.exe
2772	wddins.exe
660	myfins.exe
660	myfins.exe
2772	wddins.exe
2484	myfins.exe
1692	wddins.exe
2484	myfins.exe
1692	wddins.exe
1692	wddins.exe
1604	wddins.exe
1604	wddins.exe
1604	wddins.exe
2116	myfins.exe
2116	myfins.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
3976	xhjh.exe
476	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	ravmsmon.exe
Token: SeDebugPrivilege	1560	dhs.exe
Token: SeDebugPrivilege	2492	ravztmon.exe
Token: SeLoadDriverPrivilege	3976	xhjh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1560	dhs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2692	2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe	29
PID 2084 wrote to memory of 2692	2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe	29
PID 2084 wrote to memory of 2692	2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe	29
PID 2084 wrote to memory of 2692	2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe	29
PID 2084 wrote to memory of 2676	2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe	117
PID 2084 wrote to memory of 2676	2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe	117
PID 2084 wrote to memory of 2676	2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe	117
PID 2084 wrote to memory of 2676	2084	266ae677831f1d4c0683030811029f93_JaffaCakes118.exe	117
PID 2676 wrote to memory of 1996	2676	dsms.exe	30
PID 2676 wrote to memory of 1996	2676	dsms.exe	30
PID 2676 wrote to memory of 1996	2676	dsms.exe	30
PID 2676 wrote to memory of 1996	2676	dsms.exe	30
PID 2692 wrote to memory of 2536	2692	moyy.exe	31
PID 2692 wrote to memory of 2536	2692	moyy.exe	31
PID 2692 wrote to memory of 2536	2692	moyy.exe	31
PID 2692 wrote to memory of 2536	2692	moyy.exe	31
PID 1996 wrote to memory of 1196	1996	ravmsmon.exe	21
PID 2676 wrote to memory of 2560	2676	dsms.exe	33
PID 2676 wrote to memory of 2560	2676	dsms.exe	33
PID 2676 wrote to memory of 2560	2676	dsms.exe	33
PID 2676 wrote to memory of 2560	2676	dsms.exe	33
PID 2692 wrote to memory of 1584	2692	moyy.exe	35
PID 2692 wrote to memory of 1584	2692	moyy.exe	35
PID 2692 wrote to memory of 1584	2692	moyy.exe	35
PID 2692 wrote to memory of 1584	2692	moyy.exe	35
PID 2536 wrote to memory of 2808	2536	cmd.exe	36
PID 2536 wrote to memory of 2808	2536	cmd.exe	36
PID 2536 wrote to memory of 2808	2536	cmd.exe	36
PID 2536 wrote to memory of 2808	2536	cmd.exe	36
PID 1584 wrote to memory of 2848	1584	myfins.exe	37
PID 1584 wrote to memory of 2848	1584	myfins.exe	37
PID 1584 wrote to memory of 2848	1584	myfins.exe	37
PID 1584 wrote to memory of 2848	1584	myfins.exe	37
PID 2536 wrote to memory of 2852	2536	cmd.exe	39
PID 2536 wrote to memory of 2852	2536	cmd.exe	39
PID 2536 wrote to memory of 2852	2536	cmd.exe	39
PID 2536 wrote to memory of 2852	2536	cmd.exe	39
PID 2848 wrote to memory of 2376	2848	cmd.exe	188
PID 2848 wrote to memory of 2376	2848	cmd.exe	188
PID 2848 wrote to memory of 2376	2848	cmd.exe	188
PID 2848 wrote to memory of 2376	2848	cmd.exe	188
PID 1584 wrote to memory of 1612	1584	myfins.exe	41
PID 1584 wrote to memory of 1612	1584	myfins.exe	41
PID 1584 wrote to memory of 1612	1584	myfins.exe	41
PID 1584 wrote to memory of 1612	1584	myfins.exe	41
PID 2536 wrote to memory of 2404	2536	cmd.exe	42
PID 2536 wrote to memory of 2404	2536	cmd.exe	42
PID 2536 wrote to memory of 2404	2536	cmd.exe	42
PID 2536 wrote to memory of 2404	2536	cmd.exe	42
PID 2848 wrote to memory of 1792	2848	cmd.exe	43
PID 2848 wrote to memory of 1792	2848	cmd.exe	43
PID 2848 wrote to memory of 1792	2848	cmd.exe	43
PID 2848 wrote to memory of 1792	2848	cmd.exe	43
PID 2536 wrote to memory of 1540	2536	cmd.exe	44
PID 2536 wrote to memory of 1540	2536	cmd.exe	44
PID 2536 wrote to memory of 1540	2536	cmd.exe	44
PID 2536 wrote to memory of 1540	2536	cmd.exe	44
PID 1612 wrote to memory of 340	1612	myfins.exe	45
PID 1612 wrote to memory of 340	1612	myfins.exe	45
PID 1612 wrote to memory of 340	1612	myfins.exe	45
PID 1612 wrote to memory of 340	1612	myfins.exe	45
PID 2536 wrote to memory of 1940	2536	cmd.exe	47
PID 2536 wrote to memory of 1940	2536	cmd.exe	47
PID 2536 wrote to memory of 1940	2536	cmd.exe	47

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
7864	Process not Found
5992	Process not Found
9324	Process not Found
9516	Process not Found
5872	Process not Found
9020	Process not Found
9484	Process not Found
5252	Process not Found
4616	Process not Found
9768	Process not Found
7416	Process not Found
8992	Process not Found
1960	Process not Found
8656	Process not Found
11464	Process not Found
7792	Process not Found
3924	Process not Found
3608	Process not Found
6736	Process not Found
11764	Process not Found
5964	Process not Found
11496	Process not Found
5172	Process not Found
4672	attrib.exe
11984	Process not Found
2328	Process not Found
7732	Process not Found
9572	Process not Found
10300	Process not Found
2708	Process not Found
624	Process not Found
8504	Process not Found
1704	Process not Found
5816	Process not Found
5412	Process not Found
9920	Process not Found
8296	Process not Found
4216	Process not Found
8784	Process not Found
11272	Process not Found
11664	Process not Found
7676	Process not Found
9336	Process not Found
7672	Process not Found
11892	Process not Found
10932	Process not Found
5228	Process not Found
10736	Process not Found
2160	Process not Found
6404	Process not Found
7860	Process not Found
11688	Process not Found
12192	Process not Found
4976	Process not Found
8176	Process not Found
9716	Process not Found
10108	Process not Found
7704	Process not Found
8608	Process not Found
10360	Process not Found
5160	Process not Found
7676	Process not Found
11228	Process not Found
11700	Process not Found

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\266ae677831f1d4c0683030811029f93_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\266ae677831f1d4c0683030811029f93_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\dsms.exe
    "C:\Users\Admin\AppData\Local\Temp\dsms.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Program Files\NetMeeting\ravmsmon.exe
      "C:\Program Files\NetMeeting\ravmsmon.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\dsms.exe"
      4⤵
      PID:2560
- - C:\Users\Admin\AppData\Local\Temp\moyy.exe
    "C:\Users\Admin\AppData\Local\Temp\moyy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\DFD259396340.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2808
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2404
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1940
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2176
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2432
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:680
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:644
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1952
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1476
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:624
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1692
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2140
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:644
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2596
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3696
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5032
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4860
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3100
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4296
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1756
  - - C:\Windows\SysWOW64\myfins.exe
      C:\Windows\system32\myfins.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259396450.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2376
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1792
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2128
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:280
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1512
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1656
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1060
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2896
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1120
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1304
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2424
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2568
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2716
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1896
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2972
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2164
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:2832
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1764
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3632
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4936
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3100
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4712
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4472
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5040
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3756
    - - C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259396528.bat
        6⤵
        
        PID:340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3412
      - C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259396606.bat
        7⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259396684.bat
        8⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259396793.bat
        9⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259396902.bat
        10⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259396996.bat
        11⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259397105.bat
        12⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259397245.bat
        13⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259397448.bat
        14⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259397510.bat
        15⤵
        
        PID:792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259397760.bat
        16⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259397885.bat
        17⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398103.bat
        18⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398212.bat
        19⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398306.bat
        20⤵
        
        PID:784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:660
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398462.bat
        22⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398556.bat
        23⤵
        
        PID:884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        23⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398634.bat
        24⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        24⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398712.bat
        25⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        25⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398774.bat
        26⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        26⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398852.bat
        27⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        27⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398914.bat
        28⤵
        
        PID:264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        28⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398992.bat
        29⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399086.bat
        30⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399148.bat
        31⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399226.bat
        32⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        32⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399304.bat
        33⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        33⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399429.bat
        34⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:332
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        34⤵
        Executes dropped EXE
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399492.bat
        35⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399570.bat
        36⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        36⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399648.bat
        37⤵
        
        PID:112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        37⤵
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399710.bat
        38⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        Drops file in System32 directory
        
        PID:3788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        38⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399788.bat
        39⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        39⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399866.bat
        40⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        40⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399928.bat
        41⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        41⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400006.bat
        42⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        42⤵
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400084.bat
        43⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        43⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400162.bat
        44⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        44⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400240.bat
        45⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        45⤵
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400303.bat
        46⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        46⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400381.bat
        47⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        47⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259401036.bat
        48⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        48⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        49⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259402440.bat
        50⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        50⤵
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259403142.bat
        51⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        51⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259403953.bat
        52⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        52⤵
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259404780.bat
        53⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        53⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259405186.bat
        54⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        54⤵
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259406044.bat
        55⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        55⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259406777.bat
        56⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\myfins.exe
        
        C:\Windows\system32\myfins.exe
        56⤵
        Drops file in System32 directory
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259407635.bat
        57⤵
        
        PID:3884
- - C:\Users\Admin\AppData\Local\Temp\dhs.exe
    "C:\Users\Admin\AppData\Local\Temp\dhs.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\wdwd.exe
    "C:\Users\Admin\AppData\Local\Temp\wdwd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\DFD259397276.bat
      4⤵
      PID:1628
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2060
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2220
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1104
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3984
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4552
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4868
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4916
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4460
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3832
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4868
  - - C:\Windows\SysWOW64\wddins.exe
      C:\Windows\system32\wddins.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:356
    - - C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259397542.bat
        6⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4992
      - C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259397822.bat
        7⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259397963.bat
        8⤵
        
        PID:280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398119.bat
        9⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398181.bat
        10⤵
        
        PID:700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398259.bat
        11⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398322.bat
        12⤵
        
        PID:960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398384.bat
        13⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398540.bat
        15⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        Views/modifies file attributes
        
        PID:4672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398618.bat
        16⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398696.bat
        17⤵
        
        PID:568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        17⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398805.bat
        18⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        18⤵
        Executes dropped EXE
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398868.bat
        19⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        19⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259398946.bat
        20⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399024.bat
        21⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        21⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399117.bat
        22⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399180.bat
        23⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        23⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399258.bat
        24⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        24⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399336.bat
        25⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        25⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399445.bat
        26⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        26⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399538.bat
        27⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        27⤵
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399616.bat
        28⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        28⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399679.bat
        29⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        29⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399741.bat
        30⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        30⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399804.bat
        31⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        31⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399882.bat
        32⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        32⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259399960.bat
        33⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        33⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400038.bat
        34⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        34⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400116.bat
        35⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:592
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        35⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400194.bat
        36⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        36⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400287.bat
        37⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        37⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400350.bat
        38⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        38⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259400615.bat
        39⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        39⤵
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259401410.bat
        40⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        40⤵
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259401800.bat
        41⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        41⤵
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259402612.bat
        42⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        42⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259403516.bat
        43⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        43⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259404218.bat
        44⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        44⤵
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259405154.bat
        45⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        45⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259406028.bat
        46⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        46⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259406792.bat
        47⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\wddins.exe
        
        C:\Windows\system32\wddins.exe
        47⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259407619.bat
        48⤵
        
        PID:3280
- - C:\Users\Admin\AppData\Local\Temp\mhlan.exe
    "C:\Users\Admin\AppData\Local\Temp\mhlan.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 92
      4⤵
      Program crash
      PID:276
- - C:\Users\Admin\AppData\Local\Temp\xhzt.exe
    "C:\Users\Admin\AppData\Local\Temp\xhzt.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1668
  - - C:\Program Files\NetMeeting\ravztmon.exe
      "C:\Program Files\NetMeeting\ravztmon.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\xhzt.exe"
      4⤵
      PID:2380
- - C:\Users\Admin\AppData\Local\Temp\xhjh.exe
    "C:\Users\Admin\AppData\Local\Temp\xhjh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat" "
      4⤵
      PID:3600
- - C:\Users\Admin\AppData\Local\Temp\qqmm.exe
    "C:\Users\Admin\AppData\Local\Temp\qqmm.exe"
    3⤵
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in Program Files directory
    - Modifies registry class
    PID:4836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1747998737565400838-1558490359-1814917935457219100-709235451221098165-1619711942"
1⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1252796832942082911-1428922356-92066473-4363633085600035392088750131-1814327453"
1⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "703862799-1638833123-14547643772029199339-1087546272843294499937050535-1672382099"
1⤵
PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16709710612072919657113118956313033239302069619867-484090566423624767-1277735280"
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14562748371373123098-18828123181689271851690255654-3658463802007848024-750916287"
1⤵
PID:2424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-641851156473996940356015171-161173089522714204-256289330-1824163998-82066055"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "225605248-1764736336-10853995718534742951602495762-1164506406-4110793031903928410"
1⤵
PID:1544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-32861617-6750422414462411751361898592699583604-11495046641977538802-577790000"
1⤵
PID:1884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11803573672082908682093818362-117982626516048667-8747825732096856680-1097829308"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1337778346748656860-817846405-954955311-153587183723639783-21109807421900067601"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1761285104-1399883017-7527132411400226370-1357081824504868012-2029174390-1188081048"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7616456211632768599-21194035071236300240-98125515641301055-4411624951976773816"
1⤵
PID:1380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13542856963585620601758256383-1238894777-1997663684-52391233371584661-497785436"
1⤵
PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18884756673987581675302868412108917022-855340350120490875013398251831111252420"
1⤵
PID:928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1841755244-1563560336-12744391857675979643029802441063718079-2101730280-1718683053"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "706072667-183459295-19355295011588108083398433585-13196780121890714637-1153136444"
1⤵
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18207720142067363459-1495680952-2033579595-891884584-712733654-1446354112-1313197430"
1⤵
PID:1060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2022530325731393995-1073184863-354176707-907174988-2421878621212228168-1209176855"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6684266531489113100-590336308-1091675659-1963006060-7817296552044915141-273621604"
1⤵
PID:908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "446031116344672210-1162879554785389647-144491934714489563165267453641164080168"
1⤵
PID:3208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20181993511631911306-11778397641689121644-1951218054-4097460741478612-995263753"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1763121187-57994939346359024-384091882-3866088692039423086-4015748231893901771"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15426853341664655834528710152-150438860-473685695-992783460-19804031621077322178"
1⤵
PID:3656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1707069028137548693320357393252111676198-1693452613-5621720898349043871226309608"
1⤵
PID:4124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1508889059-2122130506-840035078-531418835-1933758322-1776982781263764302-959015038"
1⤵
PID:4352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "171618446115601280721865707009-1828126911930161688-985313310-3403247711520997663"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "797220915-1794899188-247809820-9033229781045418615-401075360-409611513-262066617"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "114657188434922268-1825530514-16045925456692631792071158-12005246801507870561"
1⤵
PID:3036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1803729041-652293049-334259763-1052359578343903685-40914551-6776925671099255059"
1⤵
PID:3548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1362513476524698490-1435257200-193612832155689354617926660-1395533474-102458766"
1⤵
PID:1336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "213352821410541545802031461123585935188-86602567211292971081681675142908933539"
1⤵
PID:3100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1731580752-1489636181505670911-848556257-6620739019621175542138168380-1903600680"
1⤵
PID:2860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "90274056622064113193376269-1879718846-722867685693414343-316974372-1847570125"
1⤵
PID:4148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1983757510816280221-919051551-6613743841845640436290376912-11761173921177047917"
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DFD259396340.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD259426963.bat

Filesize
206B

MD5
8d056a49e704a2cf5f786224745db511

SHA1
ba197d15fb258314b719a51867561b3c898b99a4

SHA256
d28f270d9f4b8decda36d9ea28b588203d61bbe41af14a3f3ed312d098a82365

SHA512
e80009f769393efcca8262aa575782cae8fd6e7b911f1cf9026618819bc10c94f14bcbd497cfa3faaad26ac83b65316a73ff6ede5a6dc61dfe5ae9f908ecb9ce

Download Submit
C:\DFD259427229.bat

Filesize
170B

MD5
8f050cb9f1d3d15d6ef01a70a1dcbfad

SHA1
8e51d54c2b10db34910ebca1bafd334c54c3a983

SHA256
81e51364b2af48d17284d53754d92fe5c4a9814488794a31ada31b61c99e12bf

SHA512
7555c2cd3a50bfa9e4c0c186c8f15718b37e1d0e6ae59139f4e1c48932aaf06bb4ca9ee6aa81c2abb1507009088a48cb3777f9be0a756a7de6cb4a9960120813

Download Submit
C:\DFD259427946.bat

Filesize
206B

MD5
e7b61c13ea09bdc4072fb4a00722d615

SHA1
d621608718b4085f31f7e3f6cbe57b33f9f1ae39

SHA256
18e950bb4f07fd4f6fd3c11b09bfab82285c147ddb03b34ab8fa467a31416d6b

SHA512
0124ed86a5535b702da3ee630e63fb23910706764365d1c34ac34d7876f09bbf5ed970990d85d9b25489d027e01f951a6394b0c4d0e2371b9c1ee23d56390b2e

Download Submit
C:\DFD259428321.bat

Filesize
170B

MD5
80256076efa5044f4b19c2f93dd40100

SHA1
b20d8102d1b382b68293fc7bbc223e993b66d8f7

SHA256
bd6f2f48d196cc6a256f223c29cac1b263a2865936fa6216caf69d148df51bf6

SHA512
acd2ca208ebdf3bee1c57a5cf677fa1118bf2a9fadfbf42c70bdbe139d93c330a7598a6b73eec168b40f44ccaa25e6ad42625e22e22d0aaa776909419c0d921b

Download Submit
C:\Users\Admin\AppData\Local\Temp\close.exe

Filesize
11KB

MD5
6d1a4d42abb451559c627c3b66e2fa2c

SHA1
9525f92f0f0735a11e352d38ec0c3857a1f5eac5

SHA256
b4b2c2dbbdc744a95f6ffff624c18abdcc706d554a1fbc3e5a7ad825b6e1277e

SHA512
8a599f55c3cff3f1c04d1793c28bab695a6189c57eb7ca757689de3a5e43c56ec2d09ce4a1cee837b3667080590b6a834ae16a2586d350a9cb8fc4fcfc84dd4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
190B

MD5
1143b63afb7df24128d8b031c980adc9

SHA1
d0e9b6c9933a50bd3f5c816cef0d1d631c38cffc

SHA256
a167707e07fe01390a0b8da99092979734f64ca17700ed78e9057783ee1fc43c

SHA512
61760c0717e8e062643e3279be90b02ce800a4ceebca1af2fd24525d8eeeedc91011af72998e41c6617bb6ca608be0115c8553a2e0a0f21dee512644c9e5f28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhlan.exe

Filesize
23KB

MD5
8c738929713fdeb497212fb037a05ab7

SHA1
84c220c8d2353b504b9310890e1e0185b694942d

SHA256
a3b0724ae5253ab005532b83f7991c81792d628f9e7bca6d4865e8d85fa3d230

SHA512
be46fedea8bdcb4f2971ad25ce3fafc1c4bdda0ae4920c7c6c87e19dcff0e70810ba8cbd398ba32ae6ce0ce3f646be856cf0b97910a13641e0e624674f86f66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\p0cddma.bat

Filesize
128B

MD5
a63fcf4998a8c6df0ca661892fa6054e

SHA1
89054206f98d00333a3d26ddbdf4b898edc2edca

SHA256
7a5aa8469623d292a1ec14832cb4b466281a4461a62985406b374939019069c2

SHA512
69aa7b23c3a48799ab45d759511f32e3f6e374043b6b10ef8b6a3c3f88b601f3abb9770dcc7a51ae98c1d3e52dc43f2b958081318489ce12226a8e512a7694ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqmm.exe

Filesize
32KB

MD5
87381443c06a20d660718af05a2a8d58

SHA1
16239399b1a791b3185c00c9f219da8e2942227f

SHA256
d6f25ca4cecb633e2ab96cb4f456f639845ff06cb23767054f6a0cbc616168b0

SHA512
af64371c32a9bb8eff09b2498042adc1d844062941945d48cb281ce3710d241e59d158f3e749e958260a1cd1e9e4671d4d65f00b45a289fa27f1e51451972fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdwd.exe

Filesize
10KB

MD5
d31cac02e223012dd33103f848389491

SHA1
3ac00c86790282a8581d4834f3ced0f4f1c0fa68

SHA256
4f8ff5179e21df85f9e638967ab7673e69816bd2e47428c87053941b1e5830a8

SHA512
3989d25eb8b4fc160714e4f5b48a1bda76490ca5e0dac9af62540f10100ce87f22789275d98a51dbef13c315e2190e5d122d6079c73322ca05b5bcb81cbc17ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhjh.exe

Filesize
14KB

MD5
3d5baba93ea1e9e868c2fbcd4e9db652

SHA1
40552f580d840a0100fe00c7aaf6eec62ad6e185

SHA256
515d86ae71ba6d92b769640308f55212e1766b194238d796831db463668f1fd0

SHA512
c4cb98d7e496cb4625dc623a15ea1bc0c31d364e21a7af581f9272b0be80009db65666cbc59f60648061a7a2904dd5716264dad3662bacf31a3ada2f692916a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhzt.exe

Filesize
17KB

MD5
d29b1f009cbe88223dc947621ee37c7a

SHA1
3d75e2352d61866308c014fafa9ab06e7ce23a80

SHA256
1716f52e91888678cc85cb4784e7b56f4d5ee1108a7a48ec7eeea32154a9e530

SHA512
51ad30c185a473923ef49a33c3fce1bceeb6f59549811e30fa6a3d63c722b4058ce16f917c487cb3f8618f71f3f0bcf5fc8b208d88e4acff8a3e869f49dffc44

Download Submit
C:\Windows\SysWOW64\RemoteDbg.dll

Filesize
19KB

MD5
9a3e1546336a37b0cf72189f61012d76

SHA1
f728cffda03c44ce1efcb6c98934ce8bd5e2eb8d

SHA256
7a30c05be5bf9a7b937327653b4b8049d64ed18ae6feeab8f2608ef253eeebfc

SHA512
6f33735be0f6ab098bfb9e1f7a56343dc0295a43360b2cec3a096281006a11db1cb4a140093be4543658f1c9d18fb7be28977097fcb3759894f563c1010b81f9

Download Submit
C:\Windows\SysWOW64\myfini.dll

Filesize
50B

MD5
a6353481141d546e45aed17d965161d0

SHA1
751a8c4e7c2ad9dda7cf76c7a5d700fa762f95ec

SHA256
a501c9b2235f2c60dfedc873f79988547dac891d213947da05ae2c6408ce0bed

SHA512
57028775a4b428e3ca907739301c30394288d299e625474b7376e365eb6e6dc2e4fc8842f46367fbc4533f52986443927a660c082d6f1aee7dc6bfb0a53499bd

Download Submit
C:\Windows\SysWOW64\myfpri.dll

Filesize
20KB

MD5
47ee49ff885c866120e956608222c4e5

SHA1
c09f8dc68a18e020516a0b631a5fecfeb222ec79

SHA256
6c70df0332d5f6c32e1be4aa0beb7be30e046685a3e9a00bce675ab0b8d0a1b7

SHA512
97acf198d11c75d864754bf0a262762c3c75aad06a1a57d8df4238cb8d3611b288cc42090a77c03307c43a3fe1cc8711517e25232a155c6641fea66f42495374

Download Submit
C:\Windows\SysWOW64\wddpri.dll

Filesize
16KB

MD5
7945c425c11ff1bb537c5239a51bb820

SHA1
1b09d8cb50ae52a0ee3e85474ef9e88dc4da2fe8

SHA256
26bafbafbdae21ca84c54cce47278d7570f78dd4392b9a4f252d02f98bbc4abc

SHA512
47da046a8e9a75ed07761258df30481754cea84e746c65c3e21ebc36c68e2b569582c70db98bea6dad0d1f3b4b3ad7b0d75b1bfbdda82f8e5839a01c291aa384

Download Submit
\Users\Admin\AppData\Local\Temp\dhs.exe

Filesize
14KB

MD5
9448daae0ee4794053bb5931cf20fa76

SHA1
911b0264a16ee82ca0a4117e8f1bd434cf52ad15

SHA256
310f759c97ceecb3f9973c2d57739c9a6a118a479b19b14ec73ebaadb9f10494

SHA512
24866e42c68f9626cf802307b78f5b202d15076ddbe6e55137bc715b137200add06bc05c69a5b6e7c005d290572fe73e467a04aa4b7b605023b5d24bab232589

Download Submit
\Users\Admin\AppData\Local\Temp\dsms.exe

Filesize
14KB

MD5
d66b6527018832095f5ad2ce4f64c451

SHA1
607117703a0e4594edfa455ad43c64f9220d9021

SHA256
2e40a32b60b91a2da8152f87d4be079c123f4522ec7598f606965600ec4de7fa

SHA512
990bc42430296561c44ba51e39b79307434edc5ab9aba1802e02fc7bf2753f36cb2585ccc2c9cde6680380416457d031f3919f92b5a8aa30b8ceb83d59a1a080

Download Submit
\Users\Admin\AppData\Local\Temp\moyy.exe

Filesize
12KB

MD5
ba588978426c25550fae3ca82ad2a5bf

SHA1
e73b6189010cda79544058e4d7297eb01cc4ba3a

SHA256
ae103495b5001bf70dea7d4e0a731194f8ab481385a994e669be1ab6639f863a

SHA512
309a6c2608925523e9adba2f417cf78ad29dfe25fb173051080a77f6e30e7f62fe6d8a48ecae7c752189e7deb79a93ee6bcbc7edd1135a1fc4c507d20830ce2e

Download Submit
memory/356-360-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/356-261-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/356-285-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/660-665-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/680-1029-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/800-418-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/900-743-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/900-900-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/900-744-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/916-578-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/916-451-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/916-450-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/916-577-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1084-996-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1084-997-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1196-46-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/1196-860-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1196-856-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/1244-320-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1364-883-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1364-741-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1364-884-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1364-742-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1436-419-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1452-642-0x00000000003A0000-0x00000000003B7000-memory.dmp

Filesize
92KB

Download
memory/1452-533-0x00000000003A0000-0x00000000003B7000-memory.dmp

Filesize
92KB

Download
memory/1496-112-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1560-219-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1560-1720-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1560-319-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1560-1719-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1568-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1584-180-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1584-66-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1604-711-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1656-819-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1660-361-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1660-460-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1692-700-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/1828-146-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1828-244-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1920-684-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1920-802-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1940-778-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/1940-668-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/1984-639-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1996-966-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1996-967-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1996-921-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-483-0x00000000002A0000-0x00000000002E3000-memory.dmp

Filesize
268KB

Download
memory/2028-293-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2036-131-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2076-469-0x0000000010010000-0x0000000010021000-memory.dmp

Filesize
68KB

Download
memory/2084-318-0x0000000003870000-0x000000000387C000-memory.dmp

Filesize
48KB

Download
memory/2084-2225-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2084-24-0x0000000003B80000-0x0000000003BC3000-memory.dmp

Filesize
268KB

Download
memory/2084-1686-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2084-1685-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2084-3-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2084-133-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2084-9-0x0000000003B80000-0x0000000003BC3000-memory.dmp

Filesize
268KB

Download
memory/2084-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2084-2059-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2084-218-0x0000000003870000-0x0000000003887000-memory.dmp

Filesize
92KB

Download
memory/2084-213-0x0000000003870000-0x000000000387C000-memory.dmp

Filesize
48KB

Download
memory/2084-225-0x0000000003870000-0x0000000003887000-memory.dmp

Filesize
92KB

Download
memory/2084-212-0x0000000003870000-0x000000000387C000-memory.dmp

Filesize
48KB

Download
memory/2084-321-0x0000000003870000-0x0000000003887000-memory.dmp

Filesize
92KB

Download
memory/2116-737-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2252-179-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2252-276-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2252-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-767-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2312-920-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2432-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2432-551-0x00000000002A0000-0x00000000002E3000-memory.dmp

Filesize
268KB

Download
memory/2484-576-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2496-640-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/2496-508-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/2648-309-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2648-202-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2692-64-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2692-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2692-177-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2760-507-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2772-666-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2772-552-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2772-667-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2788-491-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2788-385-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2788-387-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2816-322-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2816-226-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2988-641-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/2988-532-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/3104-932-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/3104-803-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/3200-965-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/3200-821-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/3200-964-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/3200-820-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/3200-779-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3432-852-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/3580-998-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/4040-930-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download