0a2773159282f09e31d7a423da9c28cbc13b231091a4fcd728e49a286593535e

Analysis

max time kernel
50s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe
Size

11KB
MD5

6fd58cd0333fd647e26b159140d042a3
SHA1

47effb33b334aad0b29c1fa887e8e42aebe65ed1
SHA256

0a2773159282f09e31d7a423da9c28cbc13b231091a4fcd728e49a286593535e
SHA512

1fec91956e224def6617437ee909d5b1fd1892976d47018d1d39bec753bfba2ca8139258b9e07247b553ebdb5b34382f56e7dbbf87ddaeaf07e1a8398f79bba8
SSDEEP

192:IIlBsTmfAxo7ofKLfTFvVXUvG6OrAwI7W1Gc7oSmRkgUwuwI:IQBsTm+eof6xNCoCCcc7oSVB

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
7136	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
2460	jhains.exe
2916	jhains.exe
2672	jhains.exe
2640	jhains.exe
2988	jhains.exe
2984	jhains.exe
2888	jhains.exe
1204	jhains.exe
1328	jhains.exe
2132	jhains.exe
348	jhains.exe
664	jhains.exe
2844	jhains.exe
2700	jhains.exe
2252	jhains.exe
1760	jhains.exe
832	jhains.exe
1756	jhains.exe
2576	jhains.exe
2976	jhains.exe
672	jhains.exe
828	jhains.exe
1592	jhains.exe
2108	jhains.exe
1568	jhains.exe
320	jhains.exe
2592	jhains.exe
924	jhains.exe
1532	jhains.exe
2744	jhains.exe
1240	jhains.exe
436	jhains.exe
1556	jhains.exe
1080	jhains.exe
2892	jhains.exe
3036	jhains.exe
2852	jhains.exe
1720	jhains.exe
896	jhains.exe
2244	jhains.exe
2644	jhains.exe
3156	jhains.exe
3252	jhains.exe
3352	jhains.exe
3444	jhains.exe
3540	jhains.exe
3672	jhains.exe
3756	jhains.exe
3848	jhains.exe
3952	jhains.exe
4068	jhains.exe
2120	jhains.exe
3220	jhains.exe
3340	jhains.exe
3480	jhains.exe
3664	jhains.exe
3788	jhains.exe
4020	jhains.exe
2348	jhains.exe
3140	jhains.exe
3380	jhains.exe
3592	jhains.exe
3804	jhains.exe
2820	jhains.exe

Loads dropped DLL 64 IoCs

pid	Process
1404	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe
1404	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe
2460	jhains.exe
2460	jhains.exe
2916	jhains.exe
2916	jhains.exe
2672	jhains.exe
2672	jhains.exe
2640	jhains.exe
2640	jhains.exe
2988	jhains.exe
2988	jhains.exe
2984	jhains.exe
2984	jhains.exe
2888	jhains.exe
2888	jhains.exe
1204	jhains.exe
1204	jhains.exe
1328	jhains.exe
1328	jhains.exe
2132	jhains.exe
2132	jhains.exe
348	jhains.exe
348	jhains.exe
664	jhains.exe
664	jhains.exe
2844	jhains.exe
2844	jhains.exe
2700	jhains.exe
2700	jhains.exe
2252	jhains.exe
2252	jhains.exe
1760	jhains.exe
1760	jhains.exe
832	jhains.exe
832	jhains.exe
1756	jhains.exe
1756	jhains.exe
2576	jhains.exe
2576	jhains.exe
2976	jhains.exe
2976	jhains.exe
672	jhains.exe
672	jhains.exe
828	jhains.exe
828	jhains.exe
1592	jhains.exe
1592	jhains.exe
2108	jhains.exe
2108	jhains.exe
1568	jhains.exe
1568	jhains.exe
320	jhains.exe
320	jhains.exe
2592	jhains.exe
2592	jhains.exe
924	jhains.exe
924	jhains.exe
1532	jhains.exe
1532	jhains.exe
2744	jhains.exe
2744	jhains.exe
1240	jhains.exe
1240	jhains.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\jhains.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File created	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File created	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhains.exe	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jhains.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File created	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jhains.exe	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jhains.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jhains.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1404	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe
2460	jhains.exe
2916	jhains.exe
2672	jhains.exe
2640	jhains.exe
2988	jhains.exe
2984	jhains.exe
2888	jhains.exe
1204	jhains.exe
1328	jhains.exe
2132	jhains.exe
348	jhains.exe
664	jhains.exe
2844	jhains.exe
2700	jhains.exe
2252	jhains.exe
1760	jhains.exe
832	jhains.exe
1756	jhains.exe
2576	jhains.exe
2976	jhains.exe
672	jhains.exe
672	jhains.exe
828	jhains.exe
1592	jhains.exe
1592	jhains.exe
2108	jhains.exe
2108	jhains.exe
1568	jhains.exe
1568	jhains.exe
320	jhains.exe
320	jhains.exe
320	jhains.exe
2592	jhains.exe
2592	jhains.exe
2592	jhains.exe
924	jhains.exe
924	jhains.exe
924	jhains.exe
1532	jhains.exe
1532	jhains.exe
1532	jhains.exe
2744	jhains.exe
2744	jhains.exe
2744	jhains.exe
1240	jhains.exe
1240	jhains.exe
1240	jhains.exe
436	jhains.exe
436	jhains.exe
436	jhains.exe
436	jhains.exe
1556	jhains.exe
1556	jhains.exe
1556	jhains.exe
1556	jhains.exe
1080	jhains.exe
1080	jhains.exe
1080	jhains.exe
1080	jhains.exe
2892	jhains.exe
2892	jhains.exe
2892	jhains.exe
2892	jhains.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1732	1404	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	30
PID 1404 wrote to memory of 1732	1404	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	30
PID 1404 wrote to memory of 1732	1404	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	30
PID 1404 wrote to memory of 1732	1404	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	30
PID 1404 wrote to memory of 2460	1404	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	32
PID 1404 wrote to memory of 2460	1404	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	32
PID 1404 wrote to memory of 2460	1404	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	32
PID 1404 wrote to memory of 2460	1404	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	32
PID 2460 wrote to memory of 3064	2460	jhains.exe	33
PID 2460 wrote to memory of 3064	2460	jhains.exe	33
PID 2460 wrote to memory of 3064	2460	jhains.exe	33
PID 2460 wrote to memory of 3064	2460	jhains.exe	33
PID 2460 wrote to memory of 2916	2460	jhains.exe	34
PID 2460 wrote to memory of 2916	2460	jhains.exe	34
PID 2460 wrote to memory of 2916	2460	jhains.exe	34
PID 2460 wrote to memory of 2916	2460	jhains.exe	34
PID 2916 wrote to memory of 2212	2916	jhains.exe	36
PID 2916 wrote to memory of 2212	2916	jhains.exe	36
PID 2916 wrote to memory of 2212	2916	jhains.exe	36
PID 2916 wrote to memory of 2212	2916	jhains.exe	36
PID 2916 wrote to memory of 2672	2916	jhains.exe	37
PID 2916 wrote to memory of 2672	2916	jhains.exe	37
PID 2916 wrote to memory of 2672	2916	jhains.exe	37
PID 2916 wrote to memory of 2672	2916	jhains.exe	37
PID 1732 wrote to memory of 2660	1732	cmd.exe	38
PID 1732 wrote to memory of 2660	1732	cmd.exe	38
PID 1732 wrote to memory of 2660	1732	cmd.exe	38
PID 1732 wrote to memory of 2660	1732	cmd.exe	38
PID 2672 wrote to memory of 764	2672	jhains.exe	40
PID 2672 wrote to memory of 764	2672	jhains.exe	40
PID 2672 wrote to memory of 764	2672	jhains.exe	40
PID 2672 wrote to memory of 764	2672	jhains.exe	40
PID 2672 wrote to memory of 2640	2672	jhains.exe	41
PID 2672 wrote to memory of 2640	2672	jhains.exe	41
PID 2672 wrote to memory of 2640	2672	jhains.exe	41
PID 2672 wrote to memory of 2640	2672	jhains.exe	41
PID 2640 wrote to memory of 2940	2640	jhains.exe	43
PID 2640 wrote to memory of 2940	2640	jhains.exe	43
PID 2640 wrote to memory of 2940	2640	jhains.exe	43
PID 2640 wrote to memory of 2940	2640	jhains.exe	43
PID 2640 wrote to memory of 2988	2640	jhains.exe	44
PID 2640 wrote to memory of 2988	2640	jhains.exe	44
PID 2640 wrote to memory of 2988	2640	jhains.exe	44
PID 2640 wrote to memory of 2988	2640	jhains.exe	44
PID 2988 wrote to memory of 1724	2988	jhains.exe	46
PID 2988 wrote to memory of 1724	2988	jhains.exe	46
PID 2988 wrote to memory of 1724	2988	jhains.exe	46
PID 2988 wrote to memory of 1724	2988	jhains.exe	46
PID 2988 wrote to memory of 2984	2988	jhains.exe	47
PID 2988 wrote to memory of 2984	2988	jhains.exe	47
PID 2988 wrote to memory of 2984	2988	jhains.exe	47
PID 2988 wrote to memory of 2984	2988	jhains.exe	47
PID 2212 wrote to memory of 2000	2212	cmd.exe	48
PID 2212 wrote to memory of 2000	2212	cmd.exe	48
PID 2212 wrote to memory of 2000	2212	cmd.exe	48
PID 2212 wrote to memory of 2000	2212	cmd.exe	48
PID 2984 wrote to memory of 3048	2984	jhains.exe	50
PID 2984 wrote to memory of 3048	2984	jhains.exe	50
PID 2984 wrote to memory of 3048	2984	jhains.exe	50
PID 2984 wrote to memory of 3048	2984	jhains.exe	50
PID 1732 wrote to memory of 1984	1732	cmd.exe	49
PID 1732 wrote to memory of 1984	1732	cmd.exe	49
PID 1732 wrote to memory of 1984	1732	cmd.exe	49
PID 1732 wrote to memory of 1984	1732	cmd.exe	49

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
8208	Process not Found
3596	Process not Found
5548	Process not Found
9232	Process not Found
13264	Process not Found
3168	Process not Found
11712	Process not Found
10264	Process not Found
10696	Process not Found
1480	Process not Found
10384	Process not Found
6280	Process not Found
6684	Process not Found
13344	Process not Found
14072	Process not Found
8520	Process not Found
9016	Process not Found
13288	Process not Found
12140	Process not Found
3752	Process not Found
9236	Process not Found
11212	Process not Found
9576	Process not Found
12604	Process not Found
6684	Process not Found
14332	Process not Found
13040	Process not Found
7208	Process not Found
6084	Process not Found
12096	Process not Found
11888	Process not Found
3652	attrib.exe
10356	Process not Found
6900	Process not Found
12320	Process not Found
7140	Process not Found
11320	Process not Found
13364	Process not Found
8344	Process not Found
6196	Process not Found
6656	Process not Found
12968	Process not Found
7628	Process not Found
9884	Process not Found
11452	Process not Found
7256	Process not Found
1556	Process not Found
11292	Process not Found
13080	Process not Found
2432	Process not Found
11784	Process not Found
13008	Process not Found
2616	attrib.exe
8504	Process not Found
6064	Process not Found
14044	Process not Found
11640	Process not Found
12948	Process not Found
11312	Process not Found
1948	Process not Found
11604	Process not Found
8424	Process not Found
6700	Process not Found
9892	Process not Found

C:\Users\Admin\AppData\Local\Temp\6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259429303.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:864
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:300
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:6128
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4768
- C:\Windows\SysWOW64\jhains.exe
  C:\Windows\system32\jhains.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259429366.bat
    3⤵
    PID:3064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:692
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:344
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3912
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:8844
- - C:\Windows\SysWOW64\jhains.exe
    C:\Windows\system32\jhains.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\DFD259429397.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:2000
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1384
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:2780
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:608
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:1556
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:296
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2016
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1420
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3796
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:9128
  - - C:\Windows\SysWOW64\jhains.exe
      C:\Windows\system32\jhains.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429413.bat
        5⤵
        
        PID:764
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3008
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2504
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2532
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1576
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1956
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2148
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:2000
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1272
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2596
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2824
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4060
    - - C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429444.bat
        6⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:9784
      - C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429475.bat
        7⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429491.bat
        8⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429506.bat
        9⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429537.bat
        10⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429569.bat
        11⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        Views/modifies file attributes
        
        PID:2616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429584.bat
        12⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429615.bat
        13⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429647.bat
        14⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429709.bat
        15⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429974.bat
        16⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259430130.bat
        17⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259430271.bat
        18⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259430411.bat
        19⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259430583.bat
        20⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259430739.bat
        21⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259430895.bat
        22⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431097.bat
        23⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431269.bat
        24⤵
        
        PID:864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431503.bat
        25⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431534.bat
        26⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431565.bat
        27⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431581.bat
        28⤵
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431597.bat
        29⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431628.bat
        30⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:7924
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431659.bat
        31⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:352
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431675.bat
        32⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431706.bat
        33⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431721.bat
        34⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431737.bat
        35⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431768.bat
        36⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431784.bat
        37⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431815.bat
        38⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        38⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431831.bat
        39⤵
        
        PID:608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        Views/modifies file attributes
        
        PID:3652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        39⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431862.bat
        40⤵
        
        PID:300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431877.bat
        41⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431909.bat
        42⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        42⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431940.bat
        43⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        43⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431971.bat
        44⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431987.bat
        45⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432018.bat
        46⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        46⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432033.bat
        47⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        47⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432065.bat
        48⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        48⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432096.bat
        49⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        49⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432111.bat
        50⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        50⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432143.bat
        51⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        51⤵
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432158.bat
        52⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        52⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432205.bat
        53⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432236.bat
        54⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        54⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432252.bat
        55⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        55⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432283.bat
        56⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432314.bat
        57⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        57⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432345.bat
        58⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        59⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        59⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        58⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432377.bat
        59⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        59⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432408.bat
        60⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        60⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432439.bat
        61⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        62⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        62⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        61⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432455.bat
        62⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        62⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432486.bat
        63⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        63⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432533.bat
        64⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        65⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        65⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        64⤵
        Executes dropped EXE
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432564.bat
        65⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        66⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        66⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        65⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432579.bat
        66⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        66⤵
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432611.bat
        67⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        67⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432642.bat
        68⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        69⤵
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        69⤵
        Drops file in System32 directory
        
        PID:9852
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        68⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432673.bat
        69⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        70⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        70⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        69⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432704.bat
        70⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        71⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        71⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        70⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432735.bat
        71⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        72⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        72⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        71⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432751.bat
        72⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        73⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        73⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        72⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432782.bat
        73⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        74⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        74⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        73⤵
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432813.bat
        74⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        75⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        75⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        74⤵
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432829.bat
        75⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        76⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        76⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        75⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432860.bat
        76⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        77⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        77⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        76⤵
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432891.bat
        77⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        78⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        78⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        77⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432907.bat
        78⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        79⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        79⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        78⤵
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432954.bat
        79⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        79⤵
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432985.bat
        80⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        81⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        81⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        80⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433016.bat
        81⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        82⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        82⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        81⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433047.bat
        82⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        83⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        83⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        82⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433063.bat
        83⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        84⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        84⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        83⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433094.bat
        84⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        85⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        85⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        85⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        84⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433110.bat
        85⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        86⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        86⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        85⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433141.bat
        86⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        87⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        87⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        86⤵
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433172.bat
        87⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        88⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        88⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        87⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433188.bat
        88⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        89⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        89⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        88⤵
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433219.bat
        89⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        90⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        90⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        89⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433235.bat
        90⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        91⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        91⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        90⤵
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433250.bat
        91⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        92⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        92⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        91⤵
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433297.bat
        92⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        93⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        93⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        92⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433328.bat
        93⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        94⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        94⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        93⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433344.bat
        94⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        95⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        95⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        94⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433375.bat
        95⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        95⤵
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433391.bat
        96⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        97⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        97⤵
        Drops file in System32 directory
        
        PID:10008
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        96⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433422.bat
        97⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        98⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        98⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        97⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433437.bat
        98⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        99⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        99⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        98⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433484.bat
        99⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        100⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        100⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        99⤵
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433515.bat
        100⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        101⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        101⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        100⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433547.bat
        101⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        102⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        102⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        101⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433578.bat
        102⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        103⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        103⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        102⤵
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433609.bat
        103⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        104⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        104⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        103⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433640.bat
        104⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        105⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        105⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        104⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433671.bat
        105⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        106⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        106⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433718.bat
        106⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        107⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        107⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        106⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433749.bat
        107⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        108⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        108⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        107⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433781.bat
        108⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        109⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        109⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        108⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433812.bat
        109⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        110⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        110⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        109⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433827.bat
        110⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        111⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        111⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        110⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433859.bat
        111⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        112⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        112⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        111⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433890.bat
        112⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        113⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        113⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        112⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433921.bat
        113⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        114⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        114⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        113⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433952.bat
        114⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        115⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        115⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        114⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259433983.bat
        115⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        116⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        116⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        115⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434015.bat
        116⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        117⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        116⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434046.bat
        117⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        118⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        118⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        117⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434077.bat
        118⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        119⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        119⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        118⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434108.bat
        119⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        120⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        120⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        119⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434139.bat
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        121⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        121⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        120⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434171.bat
        121⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        122⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        121⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434202.bat
        122⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        123⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        122⤵
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434233.bat
        123⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        124⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        124⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        123⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434264.bat
        124⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        125⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        125⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        124⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434295.bat
        125⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        126⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        125⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434373.bat
        126⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        127⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        127⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        126⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434420.bat
        127⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        128⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        127⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434451.bat
        128⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        129⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        128⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434483.bat
        129⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        130⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        129⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434529.bat
        130⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        131⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        130⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434561.bat
        131⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        132⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        131⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434592.bat
        132⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        133⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        132⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434623.bat
        133⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        134⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        134⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        133⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434654.bat
        134⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        135⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        135⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        134⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434685.bat
        135⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        136⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        135⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434717.bat
        136⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        137⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        136⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434748.bat
        137⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        138⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        137⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434795.bat
        138⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        139⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        138⤵
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434826.bat
        139⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        140⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        139⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434857.bat
        140⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        141⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        141⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        140⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434873.bat
        141⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        142⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        141⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434904.bat
        142⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        143⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        142⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434935.bat
        143⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        144⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        143⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434966.bat
        144⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        145⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        144⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434982.bat
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:6840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        146⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        146⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        145⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435013.bat
        146⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        147⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        147⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        146⤵
        Modifies registry class
        
        PID:7104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435044.bat
        147⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        148⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        147⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435075.bat
        148⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        149⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        148⤵
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435107.bat
        149⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        150⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        149⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435138.bat
        150⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        151⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        150⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435185.bat
        151⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        152⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        151⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435216.bat
        152⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        153⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        152⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435231.bat
        153⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        154⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        153⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435263.bat
        154⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        155⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        155⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        154⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435294.bat
        155⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        156⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        155⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435325.bat
        156⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        157⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        157⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        156⤵
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435341.bat
        157⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        158⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        157⤵
        Modifies registry class
        
        PID:6680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435372.bat
        158⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        159⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        158⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435403.bat
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:6472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        160⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        160⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        159⤵
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435434.bat
        160⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        161⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        160⤵
        Drops file in System32 directory
        
        PID:6260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435465.bat
        161⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        162⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        161⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435497.bat
        162⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        163⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        162⤵
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435528.bat
        163⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        164⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        163⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435559.bat
        164⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        165⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        164⤵
        Modifies registry class
        
        PID:7184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435590.bat
        165⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        166⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        165⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435621.bat
        166⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        167⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        166⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435653.bat
        167⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        168⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        167⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435684.bat
        168⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        169⤵
        
        PID:344
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        168⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435715.bat
        169⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        170⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        169⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435762.bat
        170⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        171⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        170⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435793.bat
        171⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        172⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:7984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435824.bat
        172⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        173⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        172⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435871.bat
        173⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        174⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        174⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        173⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435902.bat
        174⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        175⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        174⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435933.bat
        175⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        176⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        175⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435980.bat
        176⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        177⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        176⤵
        Modifies registry class
        
        PID:7472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436011.bat
        177⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        178⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        177⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436043.bat
        178⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        179⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        178⤵
        Modifies registry class
        
        PID:7788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436089.bat
        179⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        180⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        179⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436121.bat
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:8052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        181⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        180⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436167.bat
        181⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        182⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:7272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436214.bat
        182⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        183⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        182⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436245.bat
        183⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        184⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        183⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436292.bat
        184⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        185⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        184⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436323.bat
        185⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        186⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        185⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436355.bat
        186⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        187⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        186⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436401.bat
        187⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        188⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        188⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        187⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436433.bat
        188⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        189⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        189⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        188⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436479.bat
        189⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        190⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        189⤵
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436511.bat
        190⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        191⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        190⤵
        Modifies registry class
        
        PID:7824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436542.bat
        191⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        192⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        191⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436573.bat
        192⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        193⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        192⤵
        Modifies registry class
        
        PID:8068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436620.bat
        193⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        194⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        193⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436667.bat
        194⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        195⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        194⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436698.bat
        195⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        196⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        195⤵
        Modifies registry class
        
        PID:8324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436729.bat
        196⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        197⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        196⤵
        Modifies registry class
        
        PID:8428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436760.bat
        197⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        198⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        197⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436791.bat
        198⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        199⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        198⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436838.bat
        199⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        200⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        199⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436869.bat
        200⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        201⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        200⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436916.bat
        201⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        202⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        201⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436947.bat
        202⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        203⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        202⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436979.bat
        203⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        204⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        203⤵
        Drops file in System32 directory
        
        PID:9148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437041.bat
        204⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        205⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        204⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437072.bat
        205⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        206⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        205⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437119.bat
        206⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        207⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        206⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437150.bat
        207⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        208⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        207⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437197.bat
        208⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        209⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        208⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437244.bat
        209⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:10040
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        209⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437291.bat
        210⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        211⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        210⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437322.bat
        211⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        212⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        211⤵
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437353.bat
        212⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        213⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        212⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437415.bat
        213⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        214⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        213⤵
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437447.bat
        214⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        215⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        214⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437493.bat
        215⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        216⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        215⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437525.bat
        216⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        217⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        216⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437571.bat
        217⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        218⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        217⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437634.bat
        218⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        219⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        218⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437681.bat
        219⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        220⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        219⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437712.bat
        220⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        221⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        220⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437759.bat
        221⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        222⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        221⤵
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437837.bat
        222⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        223⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        222⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437868.bat
        223⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        224⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        223⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437899.bat
        224⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        225⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        224⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437946.bat
        225⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        226⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        225⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437993.bat
        226⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        227⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        226⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438039.bat
        227⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        228⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        227⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438086.bat
        228⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        229⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        228⤵
        Modifies registry class
        
        PID:9888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438117.bat
        229⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        230⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        229⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438164.bat
        230⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        231⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        230⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438195.bat
        231⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        232⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        231⤵
        Modifies registry class
        
        PID:10188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438242.bat
        232⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        233⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        232⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438273.bat
        233⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        234⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        233⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438320.bat
        234⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        235⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        234⤵
        Modifies registry class
        
        PID:9516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438367.bat
        235⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        236⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        235⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259440099.bat
        236⤵
        
        PID:6036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1353985841-472836822042939507-1137493201-1998956600651935630-711566251-1661746911"
1⤵
PID:548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "955377722-339677726-12583838262092378553-678364329-131073972207795945799715676"
1⤵
PID:2064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "81882886-4798304536139621951443672445-18475955721381247703-980840399-300705936"
1⤵
PID:2832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1145069484-1289042245-1483081691-15996547801286346514871355902001899641044064606"
1⤵
PID:296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13577684401018894442354322288-23845896020148377521773602289-10936713771443310899"
1⤵
PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "444742211329349185-1902475103-9761499700380252-2140883705-2055101628-1131269633"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1328537009-127689171220357276020730557871578652254-194007276-520987682725494929"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-718263558-1723399236-34396992717932415611233802837-1508517008-60741632-31585779"
1⤵
PID:2992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-117906786320459654551453484103-504979052-1590975914-1246659223-3479997092028658073"
1⤵
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1610479404-1131419720-1304875325204077277582751226805950660-16016687081429113349"
1⤵
PID:1400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-101276585315662362220908588481025325422-20064141961300762076-1428857103-1071970759"
1⤵
PID:2740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9607078631691240630-1465553917-1978414838952277971-133567407134953920721759900"
1⤵
PID:760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1095786936-1556969331-1674651201-1993868535-1168147067-13827021815349983881128552561"
1⤵
PID:3696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1056174803-83254733498938333549317396-45351729-664978701-1104534436-1720502314"
1⤵
PID:1584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-976026698-888871714-700221040-583871625-374617137-518245650-1345054108-2066792326"
1⤵
PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1775419332-2063403601-1929034688-1295237147343592445-272461807-163723962870661606"
1⤵
PID:3536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "199145259321222272818561602551881536193-1053614144-1765942038-625866838596217772"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12764285971812761677-19446149671516349158-824860596-1427482075233556266-545480709"
1⤵
PID:2564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4901468471099701080-156737802-20386384795059573291694404556-6597782232139131527"
1⤵
PID:4568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20598538391831947345-1491534299-7061580801094089386-2199821041297345133-1755075502"
1⤵
PID:4552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1210862458-197057232219851852766331864342023978224-1166682119-1442642773-235900785"
1⤵
PID:7288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DFD259429303.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD259459880.bat

Filesize
332B

MD5
25950ffb8b218bbf34d77f0f8a3a36fe

SHA1
62c622f30d93d10b43db23b03b5d37101f1c945c

SHA256
d5e976b40f706307d77788c99f3e41b9910c849e98ba6369caaf259296a5007a

SHA512
aa527ad32304d7a902aaabf7f449ac9ea3c1c5ec790e5a98032af195e0c3ed876a4dcb611ad7f2d4b9af276e8f382efe7ebc5f005b9eb0f86aa8be88f9719533

Download Submit
C:\DFD259460192.bat

Filesize
170B

MD5
1eeab16cc347f5a2e7196447f6105cfb

SHA1
d7c108d6b267790e8e0ddcf919a60a8ad34f51e8

SHA256
dbbbc77171dc01526b79772a3aff4dc4150ecfe19049903bc4524ca7f0fe7d3b

SHA512
0794bf18a148c5eb6d6fe351b1b01673b8ca8d7abd3ca7e03c37941f866f9bbdbaec5d373e52418cdeff460c8a2b3ef5baa1d8fa42e9807e13237582dbca26cd

Download Submit
C:\DFD259460348.bat

Filesize
340B

MD5
84d402f002214c3e8fc84c9cdfc29013

SHA1
551e1cc25598edbdfb3aa45e93634213656d4110

SHA256
8150f0f6bc529c96f0b74499502edf148b79a59bfe2938934408b0b392b17c4b

SHA512
febf4c346e02e22ea29fe9cbe64d6f48fe8f254a5a0b1f6b4b513f137fcc463e5b6ed290ba9534357788c450a0a4479781f1eed0a164d63eb53715724ab510a0

Download Submit
C:\DFD259465854.bat

Filesize
680B

MD5
21cecb65a045ff7eba8244e1eb7e509d

SHA1
5472f9929c845bbce28a3e6ea1744c12adb679e1

SHA256
501d01937f54928b924a883e2ecd597cce01c39ddcbc4bf84c039c79baa24034

SHA512
94ea87c7f9c964d07f44075c6872058b46a20cf80ede4a86382c18f5f189d77b5d87cc16d8c7507cac14b5dc6f2954d9ef2d5f7d12f7c299289cfe536848dfc8

Download Submit
C:\Windows\SysWOW64\jhaini.dll

Filesize
70B

MD5
61a96b58f92e7696879530b40371ec7a

SHA1
636de326b13c86ea593e242cac1ec438f1f7d485

SHA256
6b91cf9ead0ce1a7d9d750c3bc91556ff864e72bbc0935cc2cdf2e7cfb5af551

SHA512
d8ed09b766d183a67cf781f657ffe359ad5d37715e8290c911b9dc8438866a833d2fee9632c09c715c4025e15c620fb5f5ad80e414d18cacf1fc8ed36e9b0f5e

Download Submit
C:\Windows\SysWOW64\jhaini.dll

Filesize
256B

MD5
687f116ab5add0a4c2a72e93ed42824e

SHA1
07bb605eee887dbdc94a1ab275e653c95a2dc4e4

SHA256
ca013cf9c2219d7eb1af869141523b2c9b71abfc3ce1a5fb1b95462c76af81cf

SHA512
012cf10a28dcb92f05491653a54076d4f518b6196b06651d9b90af8a6ac394a6173636fd4bcaaf4c5f54b1abf0fe1499e63b242c3967c1845d45ca65db7bc9c6

Download Submit
C:\Windows\SysWOW64\jhaini.dll

Filesize
318B

MD5
cf5d91619376165bd0ebd9b245808dee

SHA1
b05360b02be8567991dfeb19a1d6ada123de44aa

SHA256
9fc2ec9eed4144282e13e4ed2e0c0a25a06db6fde5396718e487989163ff0c2a

SHA512
0e033c5714d512369e4ad347c1af0e7889979b5b8de4e5ee615c65efdf87b54f4ecff70015513182ca79ab22c415a656f9f99deb3a817b409712423cff60dcc4

Download Submit
C:\Windows\SysWOW64\jhapri.dll

Filesize
16KB

MD5
0f4a614db699fa15f708ab82b43343ce

SHA1
15c877d7a10a33f9ccb38b1df1afec65ae09c774

SHA256
c5c6bb7a66e27d7cc441bda9dd393ee699b23f3fcc1eeffab08e6da12412c293

SHA512
4a0544cfc7f02302d7e5d091934d22c08632f367b6da3a45214bfd79af76e6c8443b081dac7a86b406e4b3cd689c78f662f711c2fdb0dfcba0d333f6e676f21c

Download Submit
\Windows\SysWOW64\jhains.exe

Filesize
11KB

MD5
6fd58cd0333fd647e26b159140d042a3

SHA1
47effb33b334aad0b29c1fa887e8e42aebe65ed1

SHA256
0a2773159282f09e31d7a423da9c28cbc13b231091a4fcd728e49a286593535e

SHA512
1fec91956e224def6617437ee909d5b1fd1892976d47018d1d39bec753bfba2ca8139258b9e07247b553ebdb5b34382f56e7dbbf87ddaeaf07e1a8398f79bba8

Download Submit
memory/320-416-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/348-182-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/348-280-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/436-602-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/664-201-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/672-354-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1204-155-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1204-255-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1404-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1404-26-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1404-19-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1532-462-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1556-634-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1592-493-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1592-494-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1592-385-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1720-713-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1756-305-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1760-257-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2132-167-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2244-635-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2252-256-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/2252-338-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/2460-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2640-203-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/2640-109-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/2640-110-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/2820-1011-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2844-304-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2844-223-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2852-603-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/2892-666-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2892-570-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2916-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2988-112-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2988-220-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3036-682-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3036-586-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3220-963-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/3220-854-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/3252-797-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3252-714-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3300-1119-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/3300-1230-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/3300-1229-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/3380-979-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3444-731-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/3444-822-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/3480-1010-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3480-891-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3480-892-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3540-838-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/3584-1495-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3732-1058-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3804-1110-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3952-902-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/4124-1247-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4124-1142-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4148-1552-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4196-1409-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4196-1312-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4244-1181-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/4244-1172-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/4244-1280-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/4244-1278-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/4264-1429-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4264-1536-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4276-1314-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4336-1505-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4340-1279-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4340-1188-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4356-1712-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4356-1618-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4420-1602-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4420-1504-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4444-1213-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4444-1313-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4624-1619-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4732-1471-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4744-1600-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4744-1601-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4744-1682-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4868-1377-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/4868-1360-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4904-1262-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/4904-1376-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/4936-1473-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4936-1569-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/4936-1568-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/5100-1311-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/5112-1393-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5132-1791-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/5216-1743-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/5216-1651-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/5856-1744-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/5952-1760-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download