9bc55f1e5743d7f50f1032e315ff873b9ab93bdd09489dd63412132004721236

Analysis

max time kernel
61s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c1977a313d960b2ed76eaa2a0c3f598.exe
Size

11KB
MD5

8c1977a313d960b2ed76eaa2a0c3f598
SHA1

2cd8a4589880864b7ce0f89ef2c6e211dc8b5775
SHA256

9bc55f1e5743d7f50f1032e315ff873b9ab93bdd09489dd63412132004721236
SHA512

5b1242b37e7a5685d335d1d6c682f93bc10ae120378d31bd85bcd91c965373cc71af7e5dc8d09f5c2de607951cf843b6064b9a141e6992e81e4b658b7b0333d4
SSDEEP

192:ItdF76Ab88Ny7/cdo2h/ifX6pZ2IcIQLiL04IE267GoSA91noNo2u9IhGkf5BXcY:IfF76Aj2kKZfyQm6r6yol1YhhGkTs2oU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5576	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
1764	jziins.exe
2792	jziins.exe
3036	jziins.exe
2552	jziins.exe
572	jziins.exe
1200	jziins.exe
1708	jziins.exe
1140	jziins.exe
916	jziins.exe
1984	jziins.exe
1596	jziins.exe
1712	jziins.exe
2432	jziins.exe
580	jziins.exe
1448	jziins.exe
2340	jziins.exe
1732	jziins.exe
2088	jziins.exe
1952	jziins.exe
3004	jziins.exe
2824	jziins.exe
2124	jziins.exe
2536	jziins.exe
1572	jziins.exe
1244	jziins.exe
2628	jziins.exe
2284	jziins.exe
2924	jziins.exe
2656	jziins.exe
2412	jziins.exe
1908	jziins.exe
3040	jziins.exe
1528	jziins.exe
1700	jziins.exe
1756	jziins.exe
2588	jziins.exe
2232	jziins.exe
1132	jziins.exe
2964	jziins.exe
2472	jziins.exe
2996	jziins.exe
2388	jziins.exe
3228	jziins.exe
3348	jziins.exe
3440	jziins.exe
3616	jziins.exe
3796	jziins.exe
3968	jziins.exe
2480	jziins.exe
2564	jziins.exe
3324	jziins.exe
2732	jziins.exe
2820	jziins.exe
1584	jziins.exe
3828	jziins.exe
4080	jziins.exe
3236	jziins.exe
3576	jziins.exe
3820	jziins.exe
3628	jziins.exe
3116	jziins.exe
3772	jziins.exe
3964	jziins.exe
3112	jziins.exe

Loads dropped DLL 64 IoCs

pid	Process
2464	8c1977a313d960b2ed76eaa2a0c3f598.exe
2464	8c1977a313d960b2ed76eaa2a0c3f598.exe
1764	jziins.exe
1764	jziins.exe
2792	jziins.exe
2792	jziins.exe
3036	jziins.exe
3036	jziins.exe
2552	jziins.exe
2552	jziins.exe
572	jziins.exe
572	jziins.exe
1200	jziins.exe
1200	jziins.exe
1708	jziins.exe
1708	jziins.exe
1140	jziins.exe
1140	jziins.exe
916	jziins.exe
916	jziins.exe
1984	jziins.exe
1984	jziins.exe
1596	jziins.exe
1596	jziins.exe
1712	jziins.exe
1712	jziins.exe
2432	jziins.exe
2432	jziins.exe
580	jziins.exe
580	jziins.exe
1448	jziins.exe
1448	jziins.exe
2340	jziins.exe
2340	jziins.exe
1732	jziins.exe
1732	jziins.exe
2088	jziins.exe
2088	jziins.exe
1952	jziins.exe
1952	jziins.exe
3004	jziins.exe
3004	jziins.exe
2824	jziins.exe
2824	jziins.exe
2124	jziins.exe
2124	jziins.exe
2536	jziins.exe
2536	jziins.exe
1572	jziins.exe
1572	jziins.exe
1244	jziins.exe
1244	jziins.exe
2628	jziins.exe
2628	jziins.exe
2284	jziins.exe
2284	jziins.exe
2924	jziins.exe
2924	jziins.exe
2656	jziins.exe
2656	jziins.exe
2412	jziins.exe
2412	jziins.exe
1908	jziins.exe
1908	jziins.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jzipri.dll	jziins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jziins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	cmd.exe
File created	C:\Windows\SysWOW64\jzipri.dll	jziins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jziins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jzipri.dll	jziins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jziins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jziins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jziins.exe	jziins.exe
File created	C:\Windows\SysWOW64\jzipri.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jziins.exe	jziins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jzipri.dll	jziins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\jzipri.dll	jziins.exe
File opened for modification	C:\Windows\SysWOW64\jziins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jziins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	cmd.exe
File created	C:\Windows\SysWOW64\jzipri.dll	jziins.exe
File created	C:\Windows\SysWOW64\jzipri.dll	jziins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	jziins.exe
File created	C:\Windows\SysWOW64\jzipri.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\jziins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jzipri.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\jzipri.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jziins.exe	jziins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jziins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jzipri.dll	jziins.exe
File created	C:\Windows\SysWOW64\jzipri.dll	jziins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jzipri.dll	jziins.exe
File created	C:\Windows\SysWOW64\jzipri.dll	jziins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jzipri.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File created	C:\Windows\SysWOW64\jzipri.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\jzipri.dll	jziins.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jziins.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	jziins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ = "C:\\Windows\\SysWow64\\jzipri.dll"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{959AFD5B-159F-ACD8-954C-ACD545FA6589}\InprocServer32\ThreadingModel = "Apartment"	jziins.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2464	8c1977a313d960b2ed76eaa2a0c3f598.exe
1764	jziins.exe
2792	jziins.exe
3036	jziins.exe
2552	jziins.exe
572	jziins.exe
1200	jziins.exe
1708	jziins.exe
1140	jziins.exe
916	jziins.exe
1984	jziins.exe
1596	jziins.exe
1712	jziins.exe
2432	jziins.exe
580	jziins.exe
1448	jziins.exe
2340	jziins.exe
1732	jziins.exe
2088	jziins.exe
1952	jziins.exe
3004	jziins.exe
2824	jziins.exe
2824	jziins.exe
2124	jziins.exe
2124	jziins.exe
2536	jziins.exe
2536	jziins.exe
1572	jziins.exe
1572	jziins.exe
1244	jziins.exe
1244	jziins.exe
2628	jziins.exe
2628	jziins.exe
2284	jziins.exe
2284	jziins.exe
2924	jziins.exe
2924	jziins.exe
2924	jziins.exe
2656	jziins.exe
2656	jziins.exe
2656	jziins.exe
2412	jziins.exe
2412	jziins.exe
2412	jziins.exe
1908	jziins.exe
1908	jziins.exe
1908	jziins.exe
3040	jziins.exe
3040	jziins.exe
3040	jziins.exe
3040	jziins.exe
1528	jziins.exe
1528	jziins.exe
1528	jziins.exe
1528	jziins.exe
1700	jziins.exe
1700	jziins.exe
1700	jziins.exe
1756	jziins.exe
1756	jziins.exe
1756	jziins.exe
1756	jziins.exe
2588	jziins.exe
2588	jziins.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2904	2464	8c1977a313d960b2ed76eaa2a0c3f598.exe	28
PID 2464 wrote to memory of 2904	2464	8c1977a313d960b2ed76eaa2a0c3f598.exe	28
PID 2464 wrote to memory of 2904	2464	8c1977a313d960b2ed76eaa2a0c3f598.exe	28
PID 2464 wrote to memory of 2904	2464	8c1977a313d960b2ed76eaa2a0c3f598.exe	28
PID 2464 wrote to memory of 1764	2464	8c1977a313d960b2ed76eaa2a0c3f598.exe	30
PID 2464 wrote to memory of 1764	2464	8c1977a313d960b2ed76eaa2a0c3f598.exe	30
PID 2464 wrote to memory of 1764	2464	8c1977a313d960b2ed76eaa2a0c3f598.exe	30
PID 2464 wrote to memory of 1764	2464	8c1977a313d960b2ed76eaa2a0c3f598.exe	30
PID 1764 wrote to memory of 2648	1764	jziins.exe	32
PID 1764 wrote to memory of 2648	1764	jziins.exe	32
PID 1764 wrote to memory of 2648	1764	jziins.exe	32
PID 1764 wrote to memory of 2648	1764	jziins.exe	32
PID 2904 wrote to memory of 2672	2904	cmd.exe	120
PID 2904 wrote to memory of 2672	2904	cmd.exe	120
PID 2904 wrote to memory of 2672	2904	cmd.exe	120
PID 2904 wrote to memory of 2672	2904	cmd.exe	120
PID 1764 wrote to memory of 2792	1764	jziins.exe	39
PID 1764 wrote to memory of 2792	1764	jziins.exe	39
PID 1764 wrote to memory of 2792	1764	jziins.exe	39
PID 1764 wrote to memory of 2792	1764	jziins.exe	39
PID 2648 wrote to memory of 2684	2648	cmd.exe	38
PID 2648 wrote to memory of 2684	2648	cmd.exe	38
PID 2648 wrote to memory of 2684	2648	cmd.exe	38
PID 2648 wrote to memory of 2684	2648	cmd.exe	38
PID 2904 wrote to memory of 2536	2904	cmd.exe	36
PID 2904 wrote to memory of 2536	2904	cmd.exe	36
PID 2904 wrote to memory of 2536	2904	cmd.exe	36
PID 2904 wrote to memory of 2536	2904	cmd.exe	36
PID 2792 wrote to memory of 2512	2792	jziins.exe	35
PID 2792 wrote to memory of 2512	2792	jziins.exe	35
PID 2792 wrote to memory of 2512	2792	jziins.exe	35
PID 2792 wrote to memory of 2512	2792	jziins.exe	35
PID 2648 wrote to memory of 2528	2648	cmd.exe	37
PID 2648 wrote to memory of 2528	2648	cmd.exe	37
PID 2648 wrote to memory of 2528	2648	cmd.exe	37
PID 2648 wrote to memory of 2528	2648	cmd.exe	37
PID 2792 wrote to memory of 3036	2792	jziins.exe	45
PID 2792 wrote to memory of 3036	2792	jziins.exe	45
PID 2792 wrote to memory of 3036	2792	jziins.exe	45
PID 2792 wrote to memory of 3036	2792	jziins.exe	45
PID 2904 wrote to memory of 2368	2904	cmd.exe	44
PID 2904 wrote to memory of 2368	2904	cmd.exe	44
PID 2904 wrote to memory of 2368	2904	cmd.exe	44
PID 2904 wrote to memory of 2368	2904	cmd.exe	44
PID 2512 wrote to memory of 3020	2512	cmd.exe	43
PID 2512 wrote to memory of 3020	2512	cmd.exe	43
PID 2512 wrote to memory of 3020	2512	cmd.exe	43
PID 2512 wrote to memory of 3020	2512	cmd.exe	43
PID 2648 wrote to memory of 2492	2648	cmd.exe	124
PID 2648 wrote to memory of 2492	2648	cmd.exe	124
PID 2648 wrote to memory of 2492	2648	cmd.exe	124
PID 2648 wrote to memory of 2492	2648	cmd.exe	124
PID 3036 wrote to memory of 2616	3036	jziins.exe	40
PID 3036 wrote to memory of 2616	3036	jziins.exe	40
PID 3036 wrote to memory of 2616	3036	jziins.exe	40
PID 3036 wrote to memory of 2616	3036	jziins.exe	40
PID 2648 wrote to memory of 2888	2648	cmd.exe	46
PID 2648 wrote to memory of 2888	2648	cmd.exe	46
PID 2648 wrote to memory of 2888	2648	cmd.exe	46
PID 2648 wrote to memory of 2888	2648	cmd.exe	46
PID 2904 wrote to memory of 2900	2904	cmd.exe	49
PID 2904 wrote to memory of 2900	2904	cmd.exe	49
PID 2904 wrote to memory of 2900	2904	cmd.exe	49
PID 2904 wrote to memory of 2900	2904	cmd.exe	49

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5756	Process not Found
7184	Process not Found
7996	Process not Found
1716	attrib.exe
4004	attrib.exe
5884	Process not Found
8004	Process not Found
11728	Process not Found
7356	Process not Found
7764	Process not Found
10156	Process not Found
7320	Process not Found
7884	Process not Found
8044	Process not Found
5648	Process not Found
3928	Process not Found
7756	Process not Found
2376	attrib.exe
6900	Process not Found
7864	Process not Found
7680	Process not Found
4724	Process not Found
4780	Process not Found
2368	attrib.exe
3592	attrib.exe
5452	Process not Found
3864	Process not Found
5852	Process not Found
4672	Process not Found
3964	Process not Found
7988	Process not Found
9736	Process not Found
4824	Process not Found
7336	Process not Found
7904	Process not Found
6288	Process not Found
2524	attrib.exe
6212	Process not Found
7976	Process not Found
7208	Process not Found
5320	Process not Found
5012	Process not Found
9528	Process not Found
4988	Process not Found
7200	Process not Found
6388	Process not Found
1236	Process not Found
2820	Process not Found
9200	Process not Found
6692	Process not Found
5292	Process not Found
7456	Process not Found
1636	Process not Found
5772	Process not Found
6128	Process not Found
7780	Process not Found
7516	Process not Found
7200	Process not Found
7368	Process not Found
9092	Process not Found
1496	attrib.exe
5712	Process not Found
3908	Process not Found
3860	Process not Found

C:\Users\Admin\AppData\Local\Temp\8c1977a313d960b2ed76eaa2a0c3f598.exe
"C:\Users\Admin\AppData\Local\Temp\8c1977a313d960b2ed76eaa2a0c3f598.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259407370.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:2688
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:624
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4692
- C:\Windows\SysWOW64\jziins.exe
  C:\Windows\system32\jziins.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259407541.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:432
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:1496
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:600
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:896
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3156
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4032
- - C:\Windows\SysWOW64\jziins.exe
    C:\Windows\system32\jziins.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\jziins.exe
      C:\Windows\system32\jziins.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259407806.bat
        6⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3896
      - C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1200
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259408181.bat
        10⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:916
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259408446.bat
        12⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259408540.bat
        13⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        Views/modifies file attributes
        
        PID:2376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259408618.bat
        14⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259408696.bat
        15⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259408758.bat
        16⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        Views/modifies file attributes
        
        PID:2368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259408883.bat
        17⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259408976.bat
        18⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        Views/modifies file attributes
        
        PID:1716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259409054.bat
        19⤵
        
        PID:384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259409132.bat
        20⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259409210.bat
        21⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        Views/modifies file attributes
        
        PID:2524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259409694.bat
        22⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259410271.bat
        23⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259410786.bat
        24⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259411176.bat
        25⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259411831.bat
        26⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259412143.bat
        27⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259412596.bat
        28⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        Views/modifies file attributes
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259412814.bat
        29⤵
        
        PID:432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259412892.bat
        30⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259412970.bat
        31⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259413048.bat
        32⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259413126.bat
        33⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259413204.bat
        34⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259413282.bat
        35⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259413376.bat
        36⤵
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259413469.bat
        37⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259413547.bat
        38⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        38⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259413625.bat
        39⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        39⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259413719.bat
        40⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259413797.bat
        41⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        41⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259413875.bat
        42⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259413953.bat
        43⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259414078.bat
        44⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        44⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259414156.bat
        45⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        45⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259414234.bat
        46⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        46⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259414343.bat
        47⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        47⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259414421.bat
        48⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        Views/modifies file attributes
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        48⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259414514.bat
        49⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259414608.bat
        50⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        50⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259414702.bat
        51⤵
        
        PID:940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259414780.bat
        52⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259414858.bat
        53⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        53⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259414936.bat
        54⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        54⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259415014.bat
        55⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259415123.bat
        56⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259415216.bat
        57⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259415294.bat
        58⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        59⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        59⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        59⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        58⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259415388.bat
        59⤵
        
        PID:540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259415482.bat
        60⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        60⤵
        Executes dropped EXE
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259415606.bat
        61⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        62⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        62⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        62⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259415684.bat
        62⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        62⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259415762.bat
        63⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259415840.bat
        64⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        65⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        65⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        65⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259415918.bat
        65⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        66⤵
        
        PID:600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        66⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        66⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259415996.bat
        66⤵
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        66⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259416074.bat
        67⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        67⤵
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259416168.bat
        68⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        69⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        69⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        68⤵
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259416262.bat
        69⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        70⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        70⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        69⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259416340.bat
        70⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        71⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        71⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        71⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        70⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259416449.bat
        71⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        72⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        72⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        71⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259416542.bat
        72⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        73⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        73⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        72⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259416620.bat
        73⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        74⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        74⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259416714.bat
        74⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        75⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        75⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        75⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        74⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259416792.bat
        75⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        76⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        76⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        76⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        75⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259416886.bat
        76⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        77⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        77⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        76⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259416979.bat
        77⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        78⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        78⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        78⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        77⤵
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259417057.bat
        78⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        79⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        79⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        79⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        78⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259417135.bat
        79⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        79⤵
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259417213.bat
        80⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        81⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        81⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        80⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259417307.bat
        81⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        82⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        82⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        81⤵
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259417494.bat
        82⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        83⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        83⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        82⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259417603.bat
        83⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        84⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        84⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        83⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259417681.bat
        84⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        85⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        85⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        84⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259417759.bat
        85⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        86⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        86⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        85⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259417837.bat
        86⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        87⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        87⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        86⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259417915.bat
        87⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        88⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259417993.bat
        88⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        89⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        89⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        89⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        88⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259418071.bat
        89⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        90⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        90⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        89⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259418165.bat
        90⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        91⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        91⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        90⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259418243.bat
        91⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        92⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        92⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        91⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259418321.bat
        92⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        93⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        93⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        92⤵
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259418399.bat
        93⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        94⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        94⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        93⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259418477.bat
        94⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        95⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        94⤵
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259418555.bat
        95⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        95⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259418649.bat
        96⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        97⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        96⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259418742.bat
        97⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        98⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        97⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259418836.bat
        98⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        99⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        99⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        98⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259418914.bat
        99⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        100⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        99⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259418992.bat
        100⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        101⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        100⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259419070.bat
        101⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        102⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        101⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259419163.bat
        102⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        103⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259419241.bat
        103⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        104⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        104⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        103⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259419319.bat
        104⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        105⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        105⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        104⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259419413.bat
        105⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        106⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        106⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        105⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259419507.bat
        106⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        107⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        106⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259419616.bat
        107⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        108⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        107⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259419694.bat
        108⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        109⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        108⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259419803.bat
        109⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        110⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        109⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259419881.bat
        110⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        111⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        110⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259419975.bat
        111⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        112⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        111⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259420068.bat
        112⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        113⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        113⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        112⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259420177.bat
        113⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        114⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        114⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        113⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259420255.bat
        114⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        115⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        114⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259420349.bat
        115⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        116⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        115⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259420443.bat
        116⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        117⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        116⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259420536.bat
        117⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        118⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        117⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259420630.bat
        118⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        119⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        119⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        118⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259420723.bat
        119⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        120⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        119⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259420801.bat
        120⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        121⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        120⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259420911.bat
        121⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        122⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        122⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        121⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259421020.bat
        122⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        123⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        123⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        122⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259421113.bat
        123⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        124⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        123⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259421207.bat
        124⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        125⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        124⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259421316.bat
        125⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        126⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        125⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259421394.bat
        126⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        127⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        126⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259421488.bat
        127⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        128⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        127⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259421566.bat
        128⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        129⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        128⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259421675.bat
        129⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        130⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        130⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        129⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259421769.bat
        130⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        131⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        130⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259421847.bat
        131⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        132⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        131⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259421940.bat
        132⤵
        
        PID:900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        133⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        133⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        132⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259422034.bat
        133⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        134⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        133⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259422127.bat
        134⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        135⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        134⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259422221.bat
        135⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        136⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        135⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259422315.bat
        136⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        137⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        136⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259422424.bat
        137⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        138⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        137⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259422502.bat
        138⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        139⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        138⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259422580.bat
        139⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        140⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        139⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259422673.bat
        140⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        141⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        140⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259422798.bat
        141⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        142⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\jziins.exe
        
        C:\Windows\system32\jziins.exe
        141⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259426854.bat
        142⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259408306.bat
        11⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259408103.bat
        9⤵
        
        PID:776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259407900.bat
        7⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        Drops file in System32 directory
        
        PID:4260

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259407619.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3020
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2972
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2832
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2808
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2712
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1916
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1044
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:860
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2064
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:740
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:852
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1032
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2020
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2248
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1940
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:300
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1224
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2280
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2528
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2296
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2684
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2828
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:368
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2192
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3880
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3320
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3676
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:7020

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259407713.bat
1⤵
PID:2616
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2340
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2824
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:768
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1544
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1248
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2600
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2568
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1604
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2708
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2388
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1836
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1048
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2672
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2796
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2560
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3624
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:628
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4372
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5724
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6408
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4908

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259407978.bat
1⤵
PID:2008
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:944
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:896
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1640
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:828
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1908
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1016
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2680
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2472
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1036
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2628
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:464
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1584
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2524
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2880
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1532
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3164
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:600
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3864
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13765151491512335058115483471619864236671163976-13448398331699258165236822611"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17745309571933206738101581322897778853-281653452063182176-5060176701763009847"
1⤵
PID:1916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1649884567-1518554517-1964839391-545694109-2782625141244336191-327137296-1197241809"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-104971992716249988-2062975907-1087420249-506921848-1470598525-1131161945-1384374980"
1⤵
PID:872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1349996962-969574398-1499206127-129362871115697059-16955338821132073897232214913"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "685385227-711478472-1735333567-1403990292-1998673674-1759293911-3464011501211888799"
1⤵
PID:2812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2064692784-716235519-226182746-140839059619722959006246520811339057552-847091973"
1⤵
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12114183881198826703-958740759-384038732-1394487555542476184-546478745202253745"
1⤵
PID:2772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-179483515-94156870-2129780937142426182121069467541952450287-1290025852-1402339504"
1⤵
PID:2368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2016259515-661468560620543230131570526-1270988638-14733544526184835351104810230"
1⤵
PID:1232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-36091073475079295-704502369-410992709-1883002264706542375-96159860-64182237"
1⤵
PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-37312727-538212554901222543-1994304572212984184411138346871772433306-2037457585"
1⤵
PID:824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1093526327176939762-1342145178-10854427011867315000-9298753041662825472-1575089155"
1⤵
PID:1036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1435216918-858625770-13266829595255858213897595031985420035480798339-911638536"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9031403581779549967-1016045674-102838531-1688390888-1279768973-2053195185184780198"
1⤵
PID:368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1492658072-1004318675-1249893101188548903-2060538342140509849336962359134008999"
1⤵
PID:820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1131789217-1071571915-5826640015163908971732693280-1266931816-14593553241226936878"
1⤵
PID:2752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-413376917-548707962186218020219814241101493362459-1064107019-1700208209-60305530"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1566175951531921336183846193-1602716744965912850-20155529941733920603-1276509816"
1⤵
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-164039275510231793271073177956505860924-2060438255-249108760808021678182629023"
1⤵
PID:2612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8625385810035743661878564292-128631247-17993379842250050531581733262-360404666"
1⤵
PID:2888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20458272161346194553-9569437532065827898-1313467944550351074-5890534-1155467348"
1⤵
PID:3980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "439867742834897280810481441-1394294152750370460-13183426201723159224437455942"
1⤵
PID:3568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6893661591969183467795192000-1280670435-1042802541162992133284069457-1089844081"
1⤵
PID:3688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-232337841-4020034702124864571-1050366280-452811802-1641685626-816750586-167865543"
1⤵
PID:3836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "524711239-130026560-1196907118-20839719061921093382-1074599513400706229-2082045088"
1⤵
PID:3244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2137035723166454340-860186780-195909348917402359211746335859-1226678547-294020962"
1⤵
PID:3600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1948808586696772162-2146568983353934802-479911409-143809605812217359941508556366"
1⤵
PID:3640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1123174558-1773412993-354289488-1663760644-1450517383-12181828851086872635-1266517475"
1⤵
PID:3876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-90573261212067460462086752263-1363554244809084874339370338-698781134-1242716338"
1⤵
PID:3880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "311077314978871085220530954-1217435558-1899350470-1831187000-885766437-684120875"
1⤵
PID:3096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1900732715-428737850-15476974141092109077218458678-18486476741338828720-1947112473"
1⤵
PID:600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1244563766-17270871327451337244468585491607391762987054754-20414218781138400542"
1⤵
PID:3492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-727043607-963111329174835488312540794151382960290-5240777591483267471-538333918"
1⤵
PID:4168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "132083767-7528899341516361651138803967-1928891615-1630721257334060184228545369"
1⤵
PID:4728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1109788175-90894777-1063164612-600715791-1536974968-558169655-1285174893-2076404779"
1⤵
PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DFD259407370.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD259438086.bat

Filesize
290B

MD5
4220ec5ed402812afd36265e0c96d3e6

SHA1
c166e38446298358fd4c6f08206d7dc723035ec1

SHA256
f0ce2d51d34f8caebd20843727c9a18e793d5c6e2d429a61586ff137df503338

SHA512
69233393b38c3563da4adba4e5588117da02f8f6cdbb6e715a8605f52c73625754cabcbe18e2053dbcb39798ee4f1fafce6b57f117706fdee50ce45193dd544c

Download Submit
C:\DFD259438523.bat

Filesize
170B

MD5
3d674421be1f974d5d5c2c12f7bbd2a8

SHA1
83393f783543084ba88c79aa427b0dd094a5cef7

SHA256
49bcb95b25fa52d62a2a0c3ad0960ed1b8cbf7362c3fc01262c6a14146d28cd8

SHA512
a30c3b92cea0958f289375c5ffee716da40de1ab43d6204d3f87e8939ae7ed03968edc11a6012af667dfeafebaa8826cc039a40bf282eef9358ba68c41f3f764

Download Submit
C:\Windows\SysWOW64\jzipri.dll

Filesize
18KB

MD5
f973f933f98ac47b7903973d41a865f9

SHA1
24dd9f0bb7ce9d6e5f3c98536e238d2375047067

SHA256
68aa163951350a41ee27cd5e9672a935fc23eed723435237883ea661ac3f940d

SHA512
c88020c6ee1f9810213909e69aa8ff0cf09ac0ac59781af301079b4b6cbe08e83e44131e6f159e6ce5eb1dae8cb768eb29675f4ca1f65aa01d4d8c8594e0bccb

Download Submit
\Windows\SysWOW64\jziins.exe

Filesize
11KB

MD5
8c1977a313d960b2ed76eaa2a0c3f598

SHA1
2cd8a4589880864b7ce0f89ef2c6e211dc8b5775

SHA256
9bc55f1e5743d7f50f1032e315ff873b9ab93bdd09489dd63412132004721236

SHA512
5b1242b37e7a5685d335d1d6c682f93bc10ae120378d31bd85bcd91c965373cc71af7e5dc8d09f5c2de607951cf843b6064b9a141e6992e81e4b658b7b0333d4

Download Submit
memory/916-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1140-258-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1200-221-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1200-119-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1448-268-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1448-348-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1572-413-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1572-540-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1708-251-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1712-314-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1732-365-0x00000000003A0000-0x00000000003B7000-memory.dmp

Filesize
92KB

Download
memory/1756-685-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1764-40-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1764-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1984-187-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/1984-195-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/2088-315-0x00000000003A0000-0x00000000003B7000-memory.dmp

Filesize
92KB

Download
memory/2124-381-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2232-732-0x00000000002B0000-0x00000000002C7000-memory.dmp

Filesize
92KB

Download
memory/2232-629-0x00000000002B0000-0x00000000002C7000-memory.dmp

Filesize
92KB

Download
memory/2232-630-0x00000000002B0000-0x00000000002C7000-memory.dmp

Filesize
92KB

Download
memory/2284-460-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/2412-508-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/2412-605-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/2432-248-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/2464-140-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2464-24-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2464-116-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2464-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2536-397-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2552-102-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/2552-182-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/2588-588-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2628-444-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/2656-498-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2656-595-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2732-934-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2792-151-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2792-62-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2792-60-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2792-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2820-857-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2820-944-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2820-937-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2824-476-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2924-587-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2964-639-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2996-686-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2996-778-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/3004-349-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/3036-73-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/3036-82-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/3036-174-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/3040-621-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/3040-541-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/3040-524-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3228-794-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/3236-903-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3628-953-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3772-984-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3820-935-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3964-1000-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3968-856-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/3968-840-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download