0a2773159282f09e31d7a423da9c28cbc13b231091a4fcd728e49a286593535e

Analysis

max time kernel
150s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe
Size

11KB
MD5

6fd58cd0333fd647e26b159140d042a3
SHA1

47effb33b334aad0b29c1fa887e8e42aebe65ed1
SHA256

0a2773159282f09e31d7a423da9c28cbc13b231091a4fcd728e49a286593535e
SHA512

1fec91956e224def6617437ee909d5b1fd1892976d47018d1d39bec753bfba2ca8139258b9e07247b553ebdb5b34382f56e7dbbf87ddaeaf07e1a8398f79bba8
SSDEEP

192:IIlBsTmfAxo7ofKLfTFvVXUvG6OrAwI7W1Gc7oSmRkgUwuwI:IQBsTm+eof6xNCoCCcc7oSVB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3984	jhains.exe
3848	jhains.exe
3372	jhains.exe
4776	jhains.exe
4028	jhains.exe
2804	jhains.exe
2008	jhains.exe
3732	jhains.exe
2152	jhains.exe
4708	jhains.exe
236	jhains.exe
4456	jhains.exe
4480	jhains.exe
3048	jhains.exe
3612	jhains.exe
2088	jhains.exe
336	jhains.exe
4468	jhains.exe
5020	jhains.exe
5024	jhains.exe
3912	jhains.exe
2780	jhains.exe
2856	jhains.exe
2248	jhains.exe
3552	jhains.exe
2868	jhains.exe
2120	jhains.exe
3832	jhains.exe
1848	jhains.exe
1640	jhains.exe
5176	jhains.exe
5268	jhains.exe
5384	jhains.exe
5536	jhains.exe
5632	jhains.exe
5804	jhains.exe
5892	jhains.exe
5988	jhains.exe
6116	jhains.exe
5244	jhains.exe
5304	jhains.exe
4884	jhains.exe
5752	jhains.exe
5680	jhains.exe
3716	jhains.exe
5380	jhains.exe
5688	jhains.exe
6160	jhains.exe
6284	jhains.exe
6416	jhains.exe
6556	jhains.exe
6716	jhains.exe
6816	jhains.exe
7060	jhains.exe
7140	jhains.exe
6260	jhains.exe
6652	jhains.exe
6928	jhains.exe
6948	jhains.exe
648	jhains.exe
6348	jhains.exe
6388	jhains.exe
7040	jhains.exe
6248	jhains.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jhains.exe	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhains.exe	jhains.exe
File created	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhains.exe	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File created	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jhains.exe	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhains.exe	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhains.exe	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhains.exe	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jhains.exe	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhains.exe	jhains.exe
File opened for modification	C:\Windows\SysWOW64\jhains.exe	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jhapri.dll	jhains.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
16616	12796	Process not Found	1485
16088	16680	Process not Found	1533
17036	10304	Process not Found	1785
15800	14644	Process not Found	2151
16932	14936	Process not Found	2160
6664	16044	Process not Found	2319
5844	17108	Process not Found	2532

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\jhapri.dll"	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32\ThreadingModel = "Apartment"	jhains.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252D2432-37A2-324F-2A54-21BF5CF2F1A2}\InprocServer32	jhains.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
384	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe
384	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe
3984	jhains.exe
3984	jhains.exe
3848	jhains.exe
3848	jhains.exe
3372	jhains.exe
3372	jhains.exe
4776	jhains.exe
4776	jhains.exe
4028	jhains.exe
4028	jhains.exe
2804	jhains.exe
2804	jhains.exe
2008	jhains.exe
2008	jhains.exe
3732	jhains.exe
3732	jhains.exe
2152	jhains.exe
2152	jhains.exe
4708	jhains.exe
4708	jhains.exe
236	jhains.exe
236	jhains.exe
4456	jhains.exe
4456	jhains.exe
4480	jhains.exe
4480	jhains.exe
3048	jhains.exe
3048	jhains.exe
3612	jhains.exe
3612	jhains.exe
2088	jhains.exe
2088	jhains.exe
336	jhains.exe
336	jhains.exe
4468	jhains.exe
4468	jhains.exe
5020	jhains.exe
5020	jhains.exe
5024	jhains.exe
5024	jhains.exe
3912	jhains.exe
3912	jhains.exe
2780	jhains.exe
2780	jhains.exe
2856	jhains.exe
2856	jhains.exe
2248	jhains.exe
2248	jhains.exe
3552	jhains.exe
3552	jhains.exe
2868	jhains.exe
2868	jhains.exe
2120	jhains.exe
2120	jhains.exe
3832	jhains.exe
3832	jhains.exe
1848	jhains.exe
1848	jhains.exe
1640	jhains.exe
1640	jhains.exe
5176	jhains.exe
5176	jhains.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 3020	384	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	84
PID 384 wrote to memory of 3020	384	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	84
PID 384 wrote to memory of 3020	384	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	84
PID 384 wrote to memory of 3984	384	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	86
PID 384 wrote to memory of 3984	384	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	86
PID 384 wrote to memory of 3984	384	6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe	86
PID 3984 wrote to memory of 2204	3984	jhains.exe	87
PID 3984 wrote to memory of 2204	3984	jhains.exe	87
PID 3984 wrote to memory of 2204	3984	jhains.exe	87
PID 3984 wrote to memory of 3848	3984	jhains.exe	89
PID 3984 wrote to memory of 3848	3984	jhains.exe	89
PID 3984 wrote to memory of 3848	3984	jhains.exe	89
PID 3848 wrote to memory of 1712	3848	jhains.exe	90
PID 3848 wrote to memory of 1712	3848	jhains.exe	90
PID 3848 wrote to memory of 1712	3848	jhains.exe	90
PID 3848 wrote to memory of 3372	3848	jhains.exe	91
PID 3848 wrote to memory of 3372	3848	jhains.exe	91
PID 3848 wrote to memory of 3372	3848	jhains.exe	91
PID 3372 wrote to memory of 4232	3372	jhains.exe	92
PID 3372 wrote to memory of 4232	3372	jhains.exe	92
PID 3372 wrote to memory of 4232	3372	jhains.exe	92
PID 3372 wrote to memory of 4776	3372	jhains.exe	93
PID 3372 wrote to memory of 4776	3372	jhains.exe	93
PID 3372 wrote to memory of 4776	3372	jhains.exe	93
PID 4776 wrote to memory of 4640	4776	jhains.exe	96
PID 4776 wrote to memory of 4640	4776	jhains.exe	96
PID 4776 wrote to memory of 4640	4776	jhains.exe	96
PID 4776 wrote to memory of 4028	4776	jhains.exe	97
PID 4776 wrote to memory of 4028	4776	jhains.exe	97
PID 4776 wrote to memory of 4028	4776	jhains.exe	97
PID 3020 wrote to memory of 4084	3020	cmd.exe	98
PID 3020 wrote to memory of 4084	3020	cmd.exe	98
PID 3020 wrote to memory of 4084	3020	cmd.exe	98
PID 4028 wrote to memory of 4132	4028	jhains.exe	99
PID 4028 wrote to memory of 4132	4028	jhains.exe	99
PID 4028 wrote to memory of 4132	4028	jhains.exe	99
PID 4028 wrote to memory of 2804	4028	jhains.exe	100
PID 4028 wrote to memory of 2804	4028	jhains.exe	100
PID 4028 wrote to memory of 2804	4028	jhains.exe	100
PID 2804 wrote to memory of 2464	2804	jhains.exe	103
PID 2804 wrote to memory of 2464	2804	jhains.exe	103
PID 2804 wrote to memory of 2464	2804	jhains.exe	103
PID 2804 wrote to memory of 2008	2804	jhains.exe	104
PID 2804 wrote to memory of 2008	2804	jhains.exe	104
PID 2804 wrote to memory of 2008	2804	jhains.exe	104
PID 2008 wrote to memory of 4432	2008	jhains.exe	105
PID 2008 wrote to memory of 4432	2008	jhains.exe	105
PID 2008 wrote to memory of 4432	2008	jhains.exe	105
PID 2008 wrote to memory of 3732	2008	jhains.exe	107
PID 2008 wrote to memory of 3732	2008	jhains.exe	107
PID 2008 wrote to memory of 3732	2008	jhains.exe	107
PID 3732 wrote to memory of 2452	3732	jhains.exe	109
PID 3732 wrote to memory of 2452	3732	jhains.exe	109
PID 3732 wrote to memory of 2452	3732	jhains.exe	109
PID 3732 wrote to memory of 2152	3732	jhains.exe	110
PID 3732 wrote to memory of 2152	3732	jhains.exe	110
PID 3732 wrote to memory of 2152	3732	jhains.exe	110
PID 2152 wrote to memory of 1472	2152	jhains.exe	112
PID 2152 wrote to memory of 1472	2152	jhains.exe	112
PID 2152 wrote to memory of 1472	2152	jhains.exe	112
PID 2152 wrote to memory of 4708	2152	jhains.exe	113
PID 2152 wrote to memory of 4708	2152	jhains.exe	113
PID 2152 wrote to memory of 4708	2152	jhains.exe	113
PID 4708 wrote to memory of 444	4708	jhains.exe	114

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
16772	Process not Found
17156	Process not Found
17364	Process not Found
14480	Process not Found
11404	attrib.exe
15344	Process not Found
2912	Process not Found
16584	Process not Found
8644	Process not Found
10676	Process not Found
15772	Process not Found
13892	attrib.exe
13220	Process not Found
17220	Process not Found
11812	Process not Found
5936	Process not Found
14556	Process not Found
11860	Process not Found
13600	attrib.exe
5760	Process not Found
6396	Process not Found
1340	Process not Found
3388	Process not Found
15828	Process not Found
8596	Process not Found
7152	Process not Found
12112	Process not Found
10904	Process not Found
17144	Process not Found
16120	Process not Found
17184	Process not Found
4060	Process not Found
6928	Process not Found
5184	Process not Found
7460	Process not Found
15664	Process not Found
14984	Process not Found
13928	Process not Found
14320	Process not Found
7980	attrib.exe
1264	Process not Found
8040	Process not Found
9192	Process not Found
8536	Process not Found
7036	attrib.exe
15632	Process not Found
5752	Process not Found
14036	Process not Found
16700	Process not Found
12608	Process not Found
11244	Process not Found
9648	attrib.exe
1176	Process not Found
12236	Process not Found
11856	Process not Found
6016	Process not Found
1084	Process not Found
12512	Process not Found
3648	Process not Found
7156	Process not Found
13876	Process not Found
5820	Process not Found
7312	Process not Found
13064	Process not Found

C:\Users\Admin\AppData\Local\Temp\6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6fd58cd0333fd647e26b159140d042a3_JaffaCakes118.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\DFD240637906.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:4548
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7548
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:7904
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:11028
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:11028
- C:\Windows\SysWOW64\jhains.exe
  C:\Windows\system32\jhains.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\DFD240637953.bat
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4328
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      System Location Discovery: System Language Discovery
      PID:6524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:8176
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:7788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:7960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:11428
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:13412
- - C:\Windows\SysWOW64\jhains.exe
    C:\Windows\system32\jhains.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\DFD240637984.bat
      4⤵
      PID:1712
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:6124
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7092
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:7000
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:10912
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:6524
  - - C:\Windows\SysWOW64\jhains.exe
      C:\Windows\system32\jhains.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638000.bat
        5⤵
        
        PID:4232
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2120
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5816
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:7776
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:9480
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:10788
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:9676
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:12796
    - - C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638031.bat
        6⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:11292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:11556
      - C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638078.bat
        7⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:13724
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638125.bat
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        Drops file in System32 directory
        
        PID:8100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:11116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        9⤵
        
        PID:12472
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638140.bat
        9⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:11672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:12472
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638218.bat
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:15284
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638281.bat
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:12320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:13376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:14716
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638328.bat
        12⤵
        
        PID:444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:13136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:14988
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638375.bat
        13⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638421.bat
        14⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:12756
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638468.bat
        15⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:13388
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638515.bat
        16⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:9104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:11484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:12284
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638562.bat
        17⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:8940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:11960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:14320
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638593.bat
        18⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638625.bat
        19⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:7908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        Drops file in System32 directory
        
        PID:10220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:13200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:14284
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638687.bat
        20⤵
        
        PID:964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        Drops file in System32 directory
        
        PID:11412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:12740
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638750.bat
        21⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        Drops file in System32 directory
        
        PID:9568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:14408
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638781.bat
        22⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:9728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638828.bat
        23⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:12984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        24⤵
        
        PID:14740
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638906.bat
        24⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        Drops file in System32 directory
        
        PID:9528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        25⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638937.bat
        25⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        26⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240638984.bat
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        27⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639031.bat
        27⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:13196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:13280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:13064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        28⤵
        
        PID:14352
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639093.bat
        28⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:11304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        29⤵
        
        PID:14244
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639140.bat
        29⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        Views/modifies file attributes
        
        PID:9648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:12976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        30⤵
        
        PID:14900
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639187.bat
        30⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        Views/modifies file attributes
        
        PID:13600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        31⤵
        
        PID:14068
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639218.bat
        31⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:6796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:12428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        32⤵
        
        PID:11952
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639312.bat
        32⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:12088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        33⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639343.bat
        33⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:6796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:10768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        34⤵
        
        PID:13116
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        33⤵
        Executes dropped EXE
        
        PID:5268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639390.bat
        34⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        Drops file in System32 directory
        
        PID:8824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        35⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        34⤵
        Executes dropped EXE
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639468.bat
        35⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        Drops file in System32 directory
        
        PID:7480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:11328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        36⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639515.bat
        36⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:11116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        37⤵
        
        PID:11520
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639562.bat
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        38⤵
        
        PID:14416
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639609.bat
        38⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:14288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        39⤵
        
        PID:15216
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639656.bat
        39⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        40⤵
        
        PID:13320
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        39⤵
        Executes dropped EXE
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639687.bat
        40⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        41⤵
        
        PID:13656
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        40⤵
        Executes dropped EXE
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639750.bat
        41⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        Drops file in System32 directory
        
        PID:10268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        42⤵
        
        PID:14400
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639781.bat
        42⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:13016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        43⤵
        
        PID:14956
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639812.bat
        43⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        44⤵
        
        PID:13916
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        43⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639843.bat
        44⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:13216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        45⤵
        
        PID:12052
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        44⤵
        Executes dropped EXE
        
        PID:5752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639921.bat
        45⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:12252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        46⤵
        
        PID:12828
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240639953.bat
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:7368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:14280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        47⤵
        
        PID:14368
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640046.bat
        47⤵
        
        PID:5196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        48⤵
        
        PID:15200
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640125.bat
        48⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:13064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        49⤵
        
        PID:14628
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        48⤵
        Executes dropped EXE
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640156.bat
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        Views/modifies file attributes
        
        PID:7036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        50⤵
        
        PID:13136
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        49⤵
        Executes dropped EXE
        
        PID:6160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640187.bat
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:6220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:11680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        51⤵
        
        PID:13052
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        50⤵
        Executes dropped EXE
        
        PID:6284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640250.bat
        51⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:11020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        52⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        51⤵
        Executes dropped EXE
        
        PID:6416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640312.bat
        52⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        Drops file in System32 directory
        
        PID:10948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:12540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        53⤵
        
        PID:13656
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        52⤵
        Executes dropped EXE
        
        PID:6556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640421.bat
        53⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        54⤵
        
        PID:11800
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640500.bat
        54⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        Drops file in System32 directory
        
        PID:9012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        55⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640609.bat
        55⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        56⤵
        
        PID:14684
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        55⤵
        Executes dropped EXE
        
        PID:7060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640640.bat
        56⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        Drops file in System32 directory
        
        PID:7488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:9656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        
        PID:11672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        57⤵
        
        PID:14172
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640703.bat
        57⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:7092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:13676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        58⤵
        
        PID:14380
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640781.bat
        58⤵
        
        PID:6496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        59⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        59⤵
        Drops file in System32 directory
        
        PID:10200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        59⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        59⤵
        
        PID:13368
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        58⤵
        Executes dropped EXE
        
        PID:6652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640843.bat
        59⤵
        
        PID:6780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        60⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640890.bat
        60⤵
        
        PID:7088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        61⤵
        
        PID:13484
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640968.bat
        61⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:7564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        62⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        62⤵
        
        PID:11556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        62⤵
        
        PID:13984
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240640984.bat
        62⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        63⤵
        
        PID:11592
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641062.bat
        63⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:11944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        64⤵
        
        PID:13884
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641109.bat
        64⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        65⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        65⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        65⤵
        
        PID:11864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        65⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        64⤵
        Executes dropped EXE
        
        PID:7040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641156.bat
        65⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        66⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:9040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        66⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        66⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        65⤵
        Executes dropped EXE
        
        PID:6248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641218.bat
        66⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:12368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        67⤵
        
        PID:15276
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        66⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641281.bat
        67⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:12080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        68⤵
        
        PID:14104
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        67⤵
        Modifies registry class
        
        PID:7312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641328.bat
        68⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        69⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        69⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        69⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        69⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        68⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641390.bat
        69⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        70⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        70⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        70⤵
        
        PID:12548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        70⤵
        
        PID:15132
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        69⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641437.bat
        70⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        71⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:8956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        71⤵
        Drops file in System32 directory
        
        PID:12280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        71⤵
        
        PID:14300
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        70⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641484.bat
        71⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        72⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        72⤵
        Drops file in System32 directory
        
        PID:10588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        72⤵
        
        PID:13032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        72⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        71⤵
        Modifies registry class
        
        PID:7760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641546.bat
        72⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        73⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        73⤵
        Drops file in System32 directory
        
        PID:9452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        73⤵
        
        PID:13592
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        72⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641625.bat
        73⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        74⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        74⤵
        Views/modifies file attributes
        
        PID:7980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        74⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        74⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641687.bat
        74⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        75⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        75⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        75⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        75⤵
        
        PID:12660
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        74⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641781.bat
        75⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        76⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        76⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        76⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        76⤵
        
        PID:14424
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641812.bat
        76⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        77⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        77⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        77⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        77⤵
        
        PID:13152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        77⤵
        
        PID:15000
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        76⤵
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641875.bat
        77⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        78⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        78⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        78⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        78⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        77⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240641906.bat
        78⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        79⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        79⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        79⤵
        
        PID:11856
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        78⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642000.bat
        79⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        Drops file in System32 directory
        
        PID:9364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:10468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        80⤵
        
        PID:13300
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        79⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642093.bat
        80⤵
        
        PID:7452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        81⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        81⤵
        
        PID:11196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        81⤵
        
        PID:12668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        81⤵
        
        PID:14468
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        80⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642140.bat
        81⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        82⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        82⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        82⤵
        
        PID:14068
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642171.bat
        82⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        83⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        83⤵
        Drops file in System32 directory
        
        PID:9300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        83⤵
        
        PID:12320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        83⤵
        
        PID:14592
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        82⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642218.bat
        83⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        84⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        84⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        84⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        84⤵
        
        PID:12400
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642250.bat
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:8364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        85⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        85⤵
        Drops file in System32 directory
        
        PID:11104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        85⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        85⤵
        
        PID:14448
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642296.bat
        85⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        86⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        86⤵
        
        PID:11852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        86⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        85⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642343.bat
        86⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        87⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        87⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        87⤵
        
        PID:13640
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        86⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642406.bat
        87⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        88⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        88⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        88⤵
        
        PID:12484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        88⤵
        Views/modifies file attributes
        
        PID:11404
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        87⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642453.bat
        88⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        89⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        89⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        89⤵
        
        PID:13796
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        88⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642500.bat
        89⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        90⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        90⤵
        
        PID:11272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        90⤵
        
        PID:12708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        90⤵
        
        PID:14672
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        89⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642562.bat
        90⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        91⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        91⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        91⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        91⤵
        
        PID:12464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        91⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        90⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642625.bat
        91⤵
        
        PID:8328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        92⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        92⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        92⤵
        
        PID:14128
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        91⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642750.bat
        92⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        93⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        93⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        93⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        92⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240642812.bat
        93⤵
        
        PID:9088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        94⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        94⤵
        
        PID:11544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        94⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        93⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643125.bat
        94⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        95⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        95⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        95⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        95⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        95⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        95⤵
        
        PID:14084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        95⤵
        
        PID:14948
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        94⤵
        Drops file in System32 directory
        
        PID:8304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643156.bat
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:7552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:12836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        96⤵
        
        PID:14688
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:9284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643234.bat
        96⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        97⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        97⤵
        Drops file in System32 directory
        
        PID:10704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        97⤵
        
        PID:12460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        97⤵
        
        PID:12716
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        96⤵
        Modifies registry class
        
        PID:9572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643328.bat
        97⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        98⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        98⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        98⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        98⤵
        
        PID:13540
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        97⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643390.bat
        98⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        99⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        99⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        99⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        98⤵
        Modifies registry class
        
        PID:9936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643468.bat
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:10068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:7948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        100⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        100⤵
        
        PID:14292
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        99⤵
        Modifies registry class
        
        PID:10116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643546.bat
        100⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        101⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        101⤵
        
        PID:12660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        101⤵
        
        PID:14652
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        100⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643609.bat
        101⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        102⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        102⤵
        
        PID:13300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        102⤵
        
        PID:12928
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        101⤵
        Modifies registry class
        
        PID:7548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643640.bat
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:8492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        103⤵
        Drops file in System32 directory
        
        PID:9296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        103⤵
        
        PID:12192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        103⤵
        
        PID:12452
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        102⤵
        Modifies registry class
        
        PID:8952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643687.bat
        103⤵
        
        PID:7184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        104⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        104⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        104⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        103⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643765.bat
        104⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        105⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        105⤵
        
        PID:12792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        105⤵
        
        PID:14724
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        104⤵
        Modifies registry class
        
        PID:8352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643812.bat
        105⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        106⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        106⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        105⤵
        Modifies registry class
        
        PID:9556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643859.bat
        106⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        107⤵
        
        PID:10856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        107⤵
        
        PID:13340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        107⤵
        
        PID:15268
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        106⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643906.bat
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:8728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        108⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        108⤵
        
        PID:13388
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        107⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240643953.bat
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:6608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        109⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        109⤵
        
        PID:13144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        109⤵
        
        PID:15064
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        108⤵
        Drops file in System32 directory
        
        PID:8144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644078.bat
        109⤵
        
        PID:9476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        110⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        110⤵
        
        PID:13484
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:7368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644125.bat
        110⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        111⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        111⤵
        
        PID:13184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        111⤵
        
        PID:14844
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        110⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644203.bat
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:9480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        112⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        112⤵
        
        PID:12440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        112⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        111⤵
        Modifies registry class
        
        PID:8900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644281.bat
        112⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        113⤵
        
        PID:11324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        113⤵
        
        PID:13308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        113⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        112⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644390.bat
        113⤵
        
        PID:9768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        114⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        114⤵
        
        PID:11436
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644484.bat
        114⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        115⤵
        
        PID:11344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        115⤵
        
        PID:14268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        115⤵
        
        PID:15232
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644562.bat
        115⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        116⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        116⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        115⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644609.bat
        116⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        117⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        117⤵
        
        PID:13576
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        116⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644656.bat
        117⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        118⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        118⤵
        
        PID:13848
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        117⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644718.bat
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:11008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        119⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        119⤵
        
        PID:11468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        119⤵
        
        PID:13024
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        118⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644765.bat
        119⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        120⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        120⤵
        
        PID:14308
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        119⤵
        Modifies registry class
        
        PID:11156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644796.bat
        120⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        121⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        121⤵
        
        PID:13608
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        120⤵
        Modifies registry class
        
        PID:11252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644828.bat
        121⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        122⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        122⤵
        
        PID:13908
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        121⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240644875.bat
        122⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        123⤵
        
        PID:11832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        123⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        122⤵
        Modifies registry class
        
        PID:10560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645031.bat
        123⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        124⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        124⤵
        
        PID:13680
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        123⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645062.bat
        124⤵
        
        PID:11024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        125⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        125⤵
        
        PID:13152
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        124⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645171.bat
        125⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        126⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        126⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        125⤵
        Modifies registry class
        
        PID:10396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645218.bat
        126⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        127⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        127⤵
        
        PID:12660
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        126⤵
        Modifies registry class
        
        PID:9920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645312.bat
        127⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        128⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        128⤵
        
        PID:14104
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        127⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645390.bat
        128⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        129⤵
        
        PID:12876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        129⤵
        
        PID:14964
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        128⤵
        Modifies registry class
        
        PID:10296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645484.bat
        129⤵
        
        PID:7788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        130⤵
        
        PID:12628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        130⤵
        
        PID:13852
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        129⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645609.bat
        130⤵
        
        PID:11388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        131⤵
        
        PID:12588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        131⤵
        
        PID:14704
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        130⤵
        
        PID:11444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645640.bat
        131⤵
        
        PID:11512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        132⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        132⤵
        
        PID:14644
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        131⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:11560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645687.bat
        132⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        133⤵
        
        PID:13300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        133⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        132⤵
        Modifies registry class
        
        PID:11692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645750.bat
        133⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        134⤵
        
        PID:12924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        134⤵
        
        PID:15176
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        133⤵
        
        PID:11780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645781.bat
        134⤵
        
        PID:11844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        135⤵
        
        PID:12752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        135⤵
        
        PID:15148
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:11912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645875.bat
        135⤵
        
        PID:12024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        136⤵
        
        PID:12724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        136⤵
        
        PID:13000
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        135⤵
        Modifies registry class
        
        PID:12068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240645921.bat
        136⤵
        
        PID:12116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        137⤵
        
        PID:13100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        137⤵
        
        PID:14512
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        136⤵
        Modifies registry class
        
        PID:12156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646078.bat
        137⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        138⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        137⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646140.bat
        138⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        139⤵
        
        PID:12492
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:11260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646203.bat
        139⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        140⤵
        
        PID:13520
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646265.bat
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:11748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        141⤵
        
        PID:14140
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:11880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646312.bat
        141⤵
        
        PID:12036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        142⤵
        
        PID:14004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        142⤵
        
        PID:13212
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:10820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646359.bat
        142⤵
        
        PID:7960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        143⤵
        
        PID:14016
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        142⤵
        Modifies registry class
        
        PID:9252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646406.bat
        143⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        144⤵
        
        PID:13368
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        143⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646562.bat
        144⤵
        
        PID:9772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        145⤵
        
        PID:14160
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        144⤵
        Modifies registry class
        
        PID:11768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646609.bat
        145⤵
        
        PID:9228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        146⤵
        
        PID:13504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        146⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        145⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646671.bat
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:12136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        147⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        146⤵
        Modifies registry class
        
        PID:12048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646765.bat
        147⤵
        
        PID:10868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:11344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        148⤵
        
        PID:13684
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        147⤵
        
        PID:12016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646937.bat
        148⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        149⤵
        
        PID:13816
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        148⤵
        Drops file in System32 directory
        
        PID:11996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240646984.bat
        149⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        150⤵
        
        PID:14096
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        149⤵
        Drops file in System32 directory
        
        PID:11804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240647015.bat
        150⤵
        
        PID:12344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        151⤵
        
        PID:14200
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        150⤵
        
        PID:12404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240647078.bat
        151⤵
        
        PID:12528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        152⤵
        
        PID:11680
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        151⤵
        
        PID:12600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240647125.bat
        152⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        153⤵
        
        PID:13956
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        152⤵
        
        PID:12768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240647203.bat
        153⤵
        
        PID:12900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        154⤵
        
        PID:13156
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        153⤵
        
        PID:12952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240647265.bat
        154⤵
        
        PID:13068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        155⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        154⤵
        
        PID:13120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240647312.bat
        155⤵
        
        PID:13204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        156⤵
        
        PID:14064
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        155⤵
        
        PID:13256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240647421.bat
        156⤵
        
        PID:11424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        157⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        156⤵
        
        PID:12520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240647515.bat
        157⤵
        
        PID:12896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        158⤵
        
        PID:12492
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        157⤵
        
        PID:13080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240647578.bat
        158⤵
        
        PID:13240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        159⤵
        
        PID:12912
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        158⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240647734.bat
        159⤵
        
        PID:11808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        160⤵
        
        PID:13392
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        159⤵
        
        PID:11576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240647875.bat
        160⤵
        
        PID:13420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        161⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        160⤵
        
        PID:13460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240647937.bat
        161⤵
        
        PID:13512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        162⤵
        
        PID:13688
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        161⤵
        
        PID:13584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648000.bat
        162⤵
        
        PID:13788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        163⤵
        
        PID:14348
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        162⤵
        
        PID:13832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648078.bat
        163⤵
        
        PID:13932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        164⤵
        
        PID:14752
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        163⤵
        
        PID:13988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648125.bat
        164⤵
        
        PID:14088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        165⤵
        
        PID:14780
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        164⤵
        
        PID:14148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648250.bat
        165⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        166⤵
        Views/modifies file attributes
        
        PID:13892
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        165⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648359.bat
        166⤵
        
        PID:13416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        167⤵
        
        PID:15020
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        166⤵
        
        PID:12460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648421.bat
        167⤵
        
        PID:12848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        168⤵
        
        PID:12972
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        167⤵
        
        PID:13784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648500.bat
        168⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        169⤵
        
        PID:13220
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        168⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648625.bat
        169⤵
        
        PID:13188
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        169⤵
        
        PID:12572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648765.bat
        170⤵
        
        PID:13452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        171⤵
        
        PID:14932
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        170⤵
        
        PID:12752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648843.bat
        171⤵
        
        PID:13308
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        171⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648875.bat
        172⤵
        
        PID:13100
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        172⤵
        
        PID:13076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240648953.bat
        173⤵
        
        PID:14256
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        173⤵
        
        PID:13340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649031.bat
        174⤵
        
        PID:13560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        175⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        174⤵
        
        PID:12740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649093.bat
        175⤵
        
        PID:13716
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        175⤵
        
        PID:13684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649140.bat
        176⤵
        
        PID:13828
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        176⤵
        
        PID:13580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649203.bat
        177⤵
        
        PID:12320
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        177⤵
        
        PID:12656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649234.bat
        178⤵
        
        PID:13472
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        178⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649296.bat
        179⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        179⤵
        
        PID:12716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649343.bat
        180⤵
        
        PID:13676
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        180⤵
        
        PID:13116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649390.bat
        181⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        181⤵
        
        PID:14072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649453.bat
        182⤵
        
        PID:14200
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        182⤵
        
        PID:14392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649562.bat
        183⤵
        
        PID:14568
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        183⤵
        
        PID:14608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649640.bat
        184⤵
        
        PID:14804
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        184⤵
        
        PID:14856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649750.bat
        185⤵
        
        PID:15080
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        185⤵
        
        PID:15124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649796.bat
        186⤵
        
        PID:15256
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        186⤵
        
        PID:15304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649843.bat
        187⤵
        
        PID:15348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        187⤵
        
        PID:12712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240649968.bat
        188⤵
        
        PID:14668
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        188⤵
        
        PID:14836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\DFD240650046.bat
        189⤵
        
        PID:13104
        
        C:\Windows\SysWOW64\jhains.exe
        
        C:\Windows\system32\jhains.exe
        189⤵
        
        PID:15100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DFD240637984.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD240653156.bat

Filesize
170B

MD5
1eeab16cc347f5a2e7196447f6105cfb

SHA1
d7c108d6b267790e8e0ddcf919a60a8ad34f51e8

SHA256
dbbbc77171dc01526b79772a3aff4dc4150ecfe19049903bc4524ca7f0fe7d3b

SHA512
0794bf18a148c5eb6d6fe351b1b01673b8ca8d7abd3ca7e03c37941f866f9bbdbaec5d373e52418cdeff460c8a2b3ef5baa1d8fa42e9807e13237582dbca26cd

Download Submit
C:\Windows\SysWOW64\jhaini.dll

Filesize
70B

MD5
61a96b58f92e7696879530b40371ec7a

SHA1
636de326b13c86ea593e242cac1ec438f1f7d485

SHA256
6b91cf9ead0ce1a7d9d750c3bc91556ff864e72bbc0935cc2cdf2e7cfb5af551

SHA512
d8ed09b766d183a67cf781f657ffe359ad5d37715e8290c911b9dc8438866a833d2fee9632c09c715c4025e15c620fb5f5ad80e414d18cacf1fc8ed36e9b0f5e

Download Submit
C:\Windows\SysWOW64\jhains.exe

Filesize
11KB

MD5
6fd58cd0333fd647e26b159140d042a3

SHA1
47effb33b334aad0b29c1fa887e8e42aebe65ed1

SHA256
0a2773159282f09e31d7a423da9c28cbc13b231091a4fcd728e49a286593535e

SHA512
1fec91956e224def6617437ee909d5b1fd1892976d47018d1d39bec753bfba2ca8139258b9e07247b553ebdb5b34382f56e7dbbf87ddaeaf07e1a8398f79bba8

Download Submit
C:\Windows\SysWOW64\jhapri.dll

Filesize
16KB

MD5
0f4a614db699fa15f708ab82b43343ce

SHA1
15c877d7a10a33f9ccb38b1df1afec65ae09c774

SHA256
c5c6bb7a66e27d7cc441bda9dd393ee699b23f3fcc1eeffab08e6da12412c293

SHA512
4a0544cfc7f02302d7e5d091934d22c08632f367b6da3a45214bfd79af76e6c8443b081dac7a86b406e4b3cd689c78f662f711c2fdb0dfcba0d333f6e676f21c

Download Submit
memory/384-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/384-128-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3848-41-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3984-16-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/7212-721-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/8144-2560-0x00007FFB94AC0000-0x00007FFB94B43000-memory.dmp

Filesize
524KB

Download
memory/8900-2627-0x00007FFB956F0000-0x00007FFB958E5000-memory.dmp

Filesize
2.0MB

Download
memory/13164-2357-0x00007FFB956F0000-0x00007FFB958E5000-memory.dmp

Filesize
2.0MB

Download
memory/13256-1612-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/14144-2294-0x0000000000C60000-0x0000000000CBA000-memory.dmp

Filesize
360KB

Download
memory/14468-2390-0x0000000076AA0000-0x0000000076C40000-memory.dmp

Filesize
1.6MB

Download
memory/15564-2555-0x00007FFB956F0000-0x00007FFB958E5000-memory.dmp

Filesize
2.0MB

Download
memory/16416-2587-0x00007FFB956F0000-0x00007FFB958E5000-memory.dmp

Filesize
2.0MB

Download
memory/17128-2352-0x0000000000C60000-0x0000000000CBA000-memory.dmp

Filesize
360KB

Download
memory/17376-2273-0x00007FFB956F0000-0x00007FFB958E5000-memory.dmp

Filesize
2.0MB

Download