4359604c646ede115a9ef8451d7e35da22ab1a148e73bdbef17f3a075b4c2745

Analysis

max time kernel
51s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

220629ad845cc68f42dcaa831231127f.exe
Size

27KB
MD5

220629ad845cc68f42dcaa831231127f
SHA1

c0a76703408638bed3e939ba4b19824d83e19559
SHA256

4359604c646ede115a9ef8451d7e35da22ab1a148e73bdbef17f3a075b4c2745
SHA512

2a9b4df145c3eefb3a24f2663de6853819fd9ebe38d8c39a186d2bd9f73e62f620ab7666451e73fd2110b48d446b811b9b9050bb734b89307f051765d9eea2d2
SSDEEP

768:ZSeXzpHe+DbYn8mme806vp6IxAy46fPf/VhbQdWYSL:YSA+/Y8mm77nIc/nbEWpL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
6616	Process not Found

Executes dropped EXE 35 IoCs

pid	Process
4224	rsmyjsp.exe
4504	rsmyjsp.exe
388	rsmyjsp.exe
3716	rsmyjsp.exe
4216	rsmyjsp.exe
672	rsmyjsp.exe
5884	rsmyjsp.exe
3416	rsmyjsp.exe
2948	rsmyjsp.exe
4912	rsmyjsp.exe
2956	rsmyjsp.exe
2932	rsmyjsp.exe
5596	rsmyjsp.exe
2676	Process not Found
2072	Process not Found
4920	rsmyjsp.exe
4756	rsmyjsp.exe
2908	Process not Found
1792	Process not Found
3528	rsmyjsp.exe
6352	Process not Found
6168	Process not Found
2516	Process not Found
4404	Process not Found
6348	Process not Found
5840	Process not Found
588	Process not Found
4252	Process not Found
3264	Process not Found
6832	Process not Found
4476	Process not Found
5448	Process not Found
2608	Process not Found
6096	Process not Found
4032	Process not Found

Loads dropped DLL 64 IoCs

pid	Process
2320	220629ad845cc68f42dcaa831231127f.exe
2320	220629ad845cc68f42dcaa831231127f.exe
4224	rsmyjsp.exe
4224	rsmyjsp.exe
4504	rsmyjsp.exe
4504	rsmyjsp.exe
388	rsmyjsp.exe
388	rsmyjsp.exe
3716	rsmyjsp.exe
3716	rsmyjsp.exe
4216	rsmyjsp.exe
4216	rsmyjsp.exe
672	rsmyjsp.exe
672	rsmyjsp.exe
5884	rsmyjsp.exe
5884	rsmyjsp.exe
3416	rsmyjsp.exe
3416	rsmyjsp.exe
2948	rsmyjsp.exe
2948	rsmyjsp.exe
4912	rsmyjsp.exe
4912	rsmyjsp.exe
2956	rsmyjsp.exe
2956	rsmyjsp.exe
2932	Process not Found
2932	Process not Found
5596	rsmyjsp.exe
5596	rsmyjsp.exe
2676	Process not Found
2676	Process not Found
2072	Process not Found
2072	Process not Found
4920	rsmyjsp.exe
4920	rsmyjsp.exe
4756	rsmyjsp.exe
4756	rsmyjsp.exe
2908	Process not Found
2908	Process not Found
1792	Process not Found
1792	Process not Found
3528	rsmyjsp.exe
3528	rsmyjsp.exe
6352	Process not Found
6352	Process not Found
6168	Process not Found
6168	Process not Found
2516	Process not Found
2516	Process not Found
4404	Process not Found
4404	Process not Found
6348	Process not Found
6348	Process not Found
5840	Process not Found
5840	Process not Found
588	Process not Found
588	Process not Found
4252	Process not Found
4252	Process not Found
3264	Process not Found
3264	Process not Found
6832	Process not Found
6832	Process not Found
4476	Process not Found
4476	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File created	C:\Windows\SysWOW64\rsmyjpm.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\rsmyjpm.dll	rsmyjsp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\rsmyjsp.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	attrib.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	rsmyjsp.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64	220629ad845cc68f42dcaa831231127f.exe
File opened for modification	C:\Windows\SysWOW64	rsmyjsp.exe
File opened for modification	C:\Windows\SysWOW64	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\gemobnd.fon	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\Fonts\gemobnd.fon	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	rsmyjsp.exe
File opened for modification	C:\Windows\SysWOW64	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\gemobnd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\gemobnd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\gemobnd.fon	rsmyjsp.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\gemobnd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\gemobnd.fon	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\gemobnd.fon	rsmyjsp.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\Fonts\gemobnd.fon	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\gemobnd.fon	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	Process not Found
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\gemobnd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\gemobnd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\gemobnd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	Process not Found
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	Process not Found
File opened for modification	C:\Windows\Fonts\gemobnd.fon	rsmyjsp.exe
File opened for modification	C:\Windows\SysWOW64	rsmyjsp.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	rsmyjsp.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\Fonts\gemobnd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\gemobnd.fon	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	Process not Found
File opened for modification	C:\Windows\Fonts\gemobnd.fon	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\gemobnd.fon	Process not Found
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	rsmyjsp.exe
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\SysWOW64	Process not Found
File opened for modification	C:\Windows\Fonts\gemobnd.fon	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\gemobnd.fon	220629ad845cc68f42dcaa831231127f.exe
File opened for modification	C:\Windows\Fonts\gemobnd.fon	rsmyjsp.exe
File opened for modification	C:\Windows\Fonts\rsmyjfgb.dll	Process not Found
File opened for modification	C:\Windows\Fonts\gemobnd.fon	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	rsmyjsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	220629ad845cc68f42dcaa831231127f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	rsmyjsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	220629ad845cc68f42dcaa831231127f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	rsmyjsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	rsmyjsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	220629ad845cc68f42dcaa831231127f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	rsmyjsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	rsmyjsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	rsmyjsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	rsmyjsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	rsmyjsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ = "C:\\Windows\\SysWow64\\rsmyjpm.dll"	rsmyjsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA}\InprocServer32\ThreadingModel = "Apartment"	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	220629ad845cc68f42dcaa831231127f.exe
2320	220629ad845cc68f42dcaa831231127f.exe
2320	220629ad845cc68f42dcaa831231127f.exe
4224	rsmyjsp.exe
4504	rsmyjsp.exe
388	rsmyjsp.exe
3716	rsmyjsp.exe
4216	rsmyjsp.exe
672	rsmyjsp.exe
672	rsmyjsp.exe
672	rsmyjsp.exe
672	rsmyjsp.exe
672	rsmyjsp.exe
672	rsmyjsp.exe
672	rsmyjsp.exe
672	rsmyjsp.exe
672	rsmyjsp.exe
5884	rsmyjsp.exe
3416	rsmyjsp.exe
2948	rsmyjsp.exe
4912	rsmyjsp.exe
2956	rsmyjsp.exe
2956	rsmyjsp.exe
2956	rsmyjsp.exe
2956	rsmyjsp.exe
2956	rsmyjsp.exe
2956	rsmyjsp.exe
2956	rsmyjsp.exe
2956	rsmyjsp.exe
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
5596	rsmyjsp.exe
5596	rsmyjsp.exe
5596	rsmyjsp.exe
5596	rsmyjsp.exe
5596	rsmyjsp.exe
5596	rsmyjsp.exe
5596	rsmyjsp.exe
5596	rsmyjsp.exe
5596	rsmyjsp.exe
2676	Process not Found
2072	Process not Found
4920	rsmyjsp.exe
4920	rsmyjsp.exe
4920	rsmyjsp.exe
4920	rsmyjsp.exe
4920	rsmyjsp.exe
4920	rsmyjsp.exe
4920	rsmyjsp.exe
4920	rsmyjsp.exe
4920	rsmyjsp.exe
4756	rsmyjsp.exe
4756	rsmyjsp.exe
4756	rsmyjsp.exe
4756	rsmyjsp.exe
4756	rsmyjsp.exe
4756	rsmyjsp.exe
4756	rsmyjsp.exe
2908	Process not Found
2908	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2792	2320	220629ad845cc68f42dcaa831231127f.exe	28
PID 2320 wrote to memory of 2792	2320	220629ad845cc68f42dcaa831231127f.exe	28
PID 2320 wrote to memory of 2792	2320	220629ad845cc68f42dcaa831231127f.exe	28
PID 2320 wrote to memory of 2792	2320	220629ad845cc68f42dcaa831231127f.exe	28
PID 2792 wrote to memory of 3004	2792	cmd.exe	30
PID 2792 wrote to memory of 3004	2792	cmd.exe	30
PID 2792 wrote to memory of 3004	2792	cmd.exe	30
PID 2792 wrote to memory of 3004	2792	cmd.exe	30
PID 2320 wrote to memory of 4224	2320	220629ad845cc68f42dcaa831231127f.exe	32
PID 2320 wrote to memory of 4224	2320	220629ad845cc68f42dcaa831231127f.exe	32
PID 2320 wrote to memory of 4224	2320	220629ad845cc68f42dcaa831231127f.exe	32
PID 2320 wrote to memory of 4224	2320	220629ad845cc68f42dcaa831231127f.exe	32
PID 2792 wrote to memory of 4216	2792	cmd.exe	31
PID 2792 wrote to memory of 4216	2792	cmd.exe	31
PID 2792 wrote to memory of 4216	2792	cmd.exe	31
PID 2792 wrote to memory of 4216	2792	cmd.exe	31
PID 2792 wrote to memory of 4272	2792	cmd.exe	33
PID 2792 wrote to memory of 4272	2792	cmd.exe	33
PID 2792 wrote to memory of 4272	2792	cmd.exe	33
PID 2792 wrote to memory of 4272	2792	cmd.exe	33
PID 2792 wrote to memory of 4280	2792	cmd.exe	34
PID 2792 wrote to memory of 4280	2792	cmd.exe	34
PID 2792 wrote to memory of 4280	2792	cmd.exe	34
PID 2792 wrote to memory of 4280	2792	cmd.exe	34
PID 2792 wrote to memory of 4288	2792	cmd.exe	35
PID 2792 wrote to memory of 4288	2792	cmd.exe	35
PID 2792 wrote to memory of 4288	2792	cmd.exe	35
PID 2792 wrote to memory of 4288	2792	cmd.exe	35
PID 4224 wrote to memory of 4324	4224	rsmyjsp.exe	36
PID 4224 wrote to memory of 4324	4224	rsmyjsp.exe	36
PID 4224 wrote to memory of 4324	4224	rsmyjsp.exe	36
PID 4224 wrote to memory of 4324	4224	rsmyjsp.exe	36
PID 4324 wrote to memory of 4352	4324	cmd.exe	38
PID 4324 wrote to memory of 4352	4324	cmd.exe	38
PID 4324 wrote to memory of 4352	4324	cmd.exe	38
PID 4324 wrote to memory of 4352	4324	cmd.exe	38
PID 2792 wrote to memory of 4360	2792	cmd.exe	39
PID 2792 wrote to memory of 4360	2792	cmd.exe	39
PID 2792 wrote to memory of 4360	2792	cmd.exe	39
PID 2792 wrote to memory of 4360	2792	cmd.exe	39
PID 4324 wrote to memory of 4368	4324	cmd.exe	40
PID 4324 wrote to memory of 4368	4324	cmd.exe	40
PID 4324 wrote to memory of 4368	4324	cmd.exe	40
PID 4324 wrote to memory of 4368	4324	cmd.exe	40
PID 2792 wrote to memory of 4376	2792	cmd.exe	41
PID 2792 wrote to memory of 4376	2792	cmd.exe	41
PID 2792 wrote to memory of 4376	2792	cmd.exe	41
PID 2792 wrote to memory of 4376	2792	cmd.exe	41
PID 4324 wrote to memory of 4384	4324	cmd.exe	42
PID 4324 wrote to memory of 4384	4324	cmd.exe	42
PID 4324 wrote to memory of 4384	4324	cmd.exe	42
PID 4324 wrote to memory of 4384	4324	cmd.exe	42
PID 2792 wrote to memory of 4392	2792	cmd.exe	43
PID 2792 wrote to memory of 4392	2792	cmd.exe	43
PID 2792 wrote to memory of 4392	2792	cmd.exe	43
PID 2792 wrote to memory of 4392	2792	cmd.exe	43
PID 4324 wrote to memory of 4400	4324	cmd.exe	44
PID 4324 wrote to memory of 4400	4324	cmd.exe	44
PID 4324 wrote to memory of 4400	4324	cmd.exe	44
PID 4324 wrote to memory of 4400	4324	cmd.exe	44
PID 2792 wrote to memory of 4408	2792	cmd.exe	45
PID 2792 wrote to memory of 4408	2792	cmd.exe	45
PID 2792 wrote to memory of 4408	2792	cmd.exe	45
PID 2792 wrote to memory of 4408	2792	cmd.exe	45

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5408	attrib.exe
4752	attrib.exe
2028	Process not Found
2968	Process not Found
3276	Process not Found
4060	Process not Found
588	attrib.exe
4940	Process not Found
5056	Process not Found
4836	Process not Found
3524	Process not Found
1632	Process not Found
4256	Process not Found
2612	Process not Found
6736	Process not Found
6756	Process not Found
7396	Process not Found
8092	Process not Found
5556	Process not Found
5412	Process not Found
3500	Process not Found
3660	Process not Found
4012	Process not Found
8596	Process not Found
2520	Process not Found
4364	Process not Found
5804	attrib.exe
4036	Process not Found
5932	Process not Found
8000	Process not Found
3272	Process not Found
5044	Process not Found
5488	Process not Found
5480	Process not Found
4936	Process not Found
4868	Process not Found
5884	Process not Found
312	attrib.exe
7048	Process not Found
2960	Process not Found
4136	Process not Found
2840	Process not Found
7332	Process not Found
4240	attrib.exe
3460	attrib.exe
7504	Process not Found
2068	Process not Found
4932	attrib.exe
4764	Process not Found
4772	Process not Found
4144	attrib.exe
916	Process not Found
1160	Process not Found
5188	Process not Found
2604	attrib.exe
6116	Process not Found
2720	Process not Found
8180	Process not Found
2680	attrib.exe
6316	Process not Found
4400	Process not Found
5560	Process not Found
7020	Process not Found
1092	Process not Found

C:\Users\Admin\AppData\Local\Temp\220629ad845cc68f42dcaa831231127f.exe
"C:\Users\Admin\AppData\Local\Temp\220629ad845cc68f42dcaa831231127f.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\DFD259424062.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:4916
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4948
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4300
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:396
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:1568
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:4288
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:436
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:916
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5544
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5424
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:4240
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5572
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:896
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:5644
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4948
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
    3⤵
    PID:3784
- C:\Windows\SysWOW64\rsmyjsp.exe
  C:\Windows\system32\rsmyjsp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\DFD259425029.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4352
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4692
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4724
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4748
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4756
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:4788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:4932
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:268
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:560
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4044
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3668
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3620
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3416
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3352
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3888
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4280
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4248
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:4144
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:432
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:972
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2604
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2332
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3200
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5928
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:6072
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:6120
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5060
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3484
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:432
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3308
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3944
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5572
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:3172
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5508
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:6008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5648
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4004
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5972
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3348
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:3460
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:4752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1012
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3200
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1408
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5216
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3856
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:5400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:4084
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      PID:3992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2680
- - C:\Windows\SysWOW64\rsmyjsp.exe
    C:\Windows\system32\rsmyjsp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4504
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\DFD259425544.bat
      4⤵
      PID:4824
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4868
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4892
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4900
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4940
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4924
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4968
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4984
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2304
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1880
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1896
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1220
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1752
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1508
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:940
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4744
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4784
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4800
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2660
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:608
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1256
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4052
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3900
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3872
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3836
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3844
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3804
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:3656
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3636
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3692
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3772
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3600
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3572
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3492
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3432
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3396
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2252
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:560
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2364
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4432
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4240
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4184
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4148
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1908
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3184
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1588
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1528
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5968
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:6088
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3840
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4008
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3460
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5068
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1544
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:668
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2756
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:960
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3968
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2660
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2324
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3228
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2556
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4016
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5160
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4992
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:680
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5560
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3448
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3468
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2684
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5868
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:1872
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5680
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4076
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:936
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4100
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:900
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        Views/modifies file attributes
        
        PID:5804
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5848
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3908
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4032
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3080
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3848
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3764
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5392
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:3812
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:4204
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        5⤵
        
        PID:5356
  - - C:\Windows\SysWOW64\rsmyjsp.exe
      C:\Windows\system32\rsmyjsp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:388
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259426792.bat
        5⤵
        
        PID:3956
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3876
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3824
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3780
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:3652
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3616
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3584
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3552
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3464
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3356
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2544
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2868
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4320
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3336
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4308
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4236
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4152
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3028
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2836
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3240
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2824
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2680
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3192
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2504
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2256
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5960
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:6096
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3896
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3000
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3852
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4420
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4348
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4232
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1368
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:572
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:596
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4940
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2084
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:4020
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3392
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:1544
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:824
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:968
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5532
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        Views/modifies file attributes
        
        PID:5408
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5092
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5392
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5348
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4756
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1656
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5660
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2256
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2568
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:668
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4092
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:656
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3788
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1816
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5808
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3568
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4944
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1192
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4256
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4936
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4000
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:4012
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:2648
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5924
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:1496
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5200
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3332
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:3420
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5204
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:868
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        6⤵
        
        PID:5088
    - - C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3716
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259427322.bat
        6⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        7⤵
        
        PID:1648
      - C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259428523.bat
        7⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        8⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:672
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259429787.bat
        9⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        Views/modifies file attributes
        
        PID:312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        10⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259430349.bat
        10⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        11⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259431441.bat
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        12⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259432189.bat
        12⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        13⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259434061.bat
        13⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        14⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        13⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259435107.bat
        14⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        Views/modifies file attributes
        
        PID:588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        15⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259436292.bat
        15⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        16⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        15⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259437415.bat
        16⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        17⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        16⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259438741.bat
        17⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        18⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259440910.bat
        18⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        19⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259441846.bat
        19⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        20⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        19⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259442922.bat
        20⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        21⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        20⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259444030.bat
        21⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        22⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\DFD259445028.bat
        22⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
        23⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\rsmyjsp.exe
        
        C:\Windows\system32\rsmyjsp.exe
        22⤵
        
        PID:6352

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\DFD259429038.bat
1⤵
PID:2596
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1356
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1548
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4800
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5976
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6104
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3812
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3144
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3044
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3004
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3468
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2308
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:656
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:780
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1488
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2552
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2200
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1332
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1232
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2180
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2416
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4488
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1620
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3348
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1488
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1484
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3112
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:472
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5540
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4348
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2360
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2152
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1328
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4532
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:6004
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5848
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1904
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3704
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2552
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3688
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3344
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1416
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4804
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4184
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5796
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5776
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3284
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5640
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2896
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1472
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4776
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4976
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4092
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5616
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3360
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3544
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:5088
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:1584
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:2944
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:4492
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  PID:3984
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\system32\verclsid.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:6096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-143024381-180673139-124123791014723147828787278585891651985448918-669444954"
1⤵
PID:4800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1621601586-84112690514498277095686261211228152434-1763663727981802498-984043102"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7229721971798838785-1428455931-153067188-2136425536-1016601945-518990700-329148166"
1⤵
PID:3328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-695325337-10472968772321057668799903141673329625-1894657887561673936-324845174"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1076294364-1062746690-2090899529-1247578336585416864-5581268861108759628438975770"
1⤵
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DFD259424062.bat

Filesize
176B

MD5
2afeebcd2748d7fe6a9deb1ef8f83046

SHA1
4bddd82d8955f53a4a8ca922286e02858dbe1eda

SHA256
c0348f6f1c884212db58ebedf50a1f852712366063e5e8c3ae9701b0b4f7e731

SHA512
457f362c884681eb306f6c8718abfdc468eb2598ef46a9740381cb89919ffdd34f5e2fe15967eee3559de493f12d5abb6959accc395037f3f8e15e06f13446cd

Download Submit
C:\DFD259455574.bat

Filesize
290B

MD5
ae003e1a86c6c66a0c23372e8a9235a8

SHA1
d07bfe13395e7fb4d6d991f46d9dd6913f3e7b2a

SHA256
0d395ffe105ecbf13db468dad39add0926a44fc2d7f5f4a461b880d781847293

SHA512
4c912126eb01129b492f1f8e147fe37dd3e6e9b3eea5c92601aee438c2f960299960e3285999f92cb7785b0a52f0e0ba86030170e67e1f7b5800afa20e3aca4a

Download Submit
C:\DFD259456104.bat

Filesize
173B

MD5
94797a020d08744b0e749ec922b643c3

SHA1
c7f957d9b3ca0d12715cc43b84f6852ed92be198

SHA256
7ca9acac480633cdbb69022e7550ad7063c0afddcee1b22f4a657a1472ba53f7

SHA512
73de0f844922eafdd09e6f5309a202eb62abaf20f40cfa85fd0c035846aae5356842f0143008c497c0a1ce39b53e14d87043f4d9e7f7688ee1e0ecb02d2ca345

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
1KB

MD5
41044ddccba5bb21f4c78b9db4b08081

SHA1
41b33a138885787942bea2e68e8b6945bce93ffc

SHA256
fea89a5b3e62cb22567e7883f7f5cbdde208eb9ccb33d06eb3484a1e25178f88

SHA512
1fbc76646936e9ceffc0e737a346e1c913dca6aeec6b6c32d6c5968ed221c3a94ec8981727c6553abdb2c32ee59082d595a023a47ec0bbe9e51ab7d6015c89a5

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
7KB

MD5
0e748794f3b9d01d049ecd95cc8e3c95

SHA1
71dca2ea3b16d41b9d9c86a881c75719b08bdcd8

SHA256
1634258a562fd4274fe25053baa18b75492efff950d6def9aa7af0861790abac

SHA512
d87adb811596f762f684ac19889ca44c5e3dcde10d52446e2dc53f4b5ff45dff097dc92d2c8b9d8558a8b8f5b72850baf83d93ce714ea07c1f510d771b6c2470

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
1KB

MD5
cde621423d192abdcfdce596e5805bfb

SHA1
4f1b318063753e24856e16bcf56d054e7cf25f09

SHA256
a79a3a51fb6b0fb8db817f116a0fc7dabffb6479b1034978c644fb12bc5ef024

SHA512
13c451883f5e4640e1cedded60337ff7771722b6bde97f17ee8d6fc449888ffcd9657fabeb48bf3ee1555b644dc324e1021fe1d57acbf6a054c6e29c204d55b9

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
8KB

MD5
f92598919dbec4e330e8378a24429c88

SHA1
eb165fb77460c2dc77a268198542175cd0cf5a6d

SHA256
68040af5ec477099a38033180107a5c38e16873ef4f5357536bd83445109d195

SHA512
904eb99bbb3f85cc1c90a75d7ae4ef25dd1fbcef16dca72fa989805a9c5785746d3bbbd514e2c80b883bb0784f625beff0b0a623188272728d2b336e580eea66

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
8KB

MD5
01ed11ba09250074cd8c9d45ff6be291

SHA1
8b4e2151cb9a29ddef896e1fb6a4922cdde806db

SHA256
781fd533a8136b424ddfb90487c5c1506b0d7a6f871a09c944aab3dbd2fe1200

SHA512
c0f3f5d113cc5b0c110bcb99174c286752ac3c432629d0fa259577325f3dd60225d6e8224c509d046ebf2f62aae98d07375cb5300671d8da895705b350222ce7

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
9KB

MD5
02858b77585f22f2781ea18b41bf3ad7

SHA1
3f8b32292a04738cf396060c238c4046d2e08b71

SHA256
f8cd9e1ef4a7728282b41357209702b55d13715d1bb97b3d733a65a62edc713a

SHA512
18dce9bc18604c0a4b2c83470b70b5b24d7ad2955bf034a33bbef9745fe3ee910d78e1ad34404af89a0d2cf4eabcc3858ab7fcb619b4c394e3e8e067d0691335

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
9KB

MD5
e351291f7266d2aa26db7d479ce9dd5e

SHA1
051ab36d688d80c394c6e777bd516a1b362d54e9

SHA256
29c628cb295a69057af61a059e6ca5071dcb7a352d3feb585361ca761b9fbbed

SHA512
83ecfe75648d8dcb3cde9d8cec75edf6d27b99eab70afef95b9578721a5f9a93dd49c084c64bc9539d406132014da916048918daeaea18e85c542d55243b7554

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
9KB

MD5
5ce0a2358c966d9e7cbf6136bd344dfa

SHA1
3b0a11af0b070241fcdda7115c4501c5ad20a945

SHA256
98b4225255d19f76edfc4ce00f398730a37cf191129fb77d66e086ca9c01c16a

SHA512
0bb95d12b4e9cfc2d1403646bf1634d46ee078d8d43f05ee2e4003b3dea70f8714af00ed08d6626c7ddaf27a83445c02ccd7410591c3645808b520b324589c26

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
10KB

MD5
d44d74a85d15cc5b65a430036dad4b0c

SHA1
0a3af8fbdbe805caa12fc4cf325efd5c2e0b924a

SHA256
ded9518e609eaba4d6a0d441b823132cae77ff4152db2c69cf6bc5f98a702854

SHA512
634bee9af31334aa1b4271b739192415dd8b8ed97db47fe531cf7cf04b15d88f0543f1f9210635993bfdbcf438fd33d6ef11b1d60a6860e736e4af9e28a6b192

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
11KB

MD5
3ff75ebb8df50a0668ae40385851e616

SHA1
dd218e7505b0065fc3b026441fa489e5bcac3623

SHA256
62b0e4510a5834d64c49592a05477ad12e63145b86c1e5cdaf765c162274b59b

SHA512
c73fdd9784da043bf7224ca6d21e268bdb11a058d43198c07d9fe63e93dfa8cb79dd13c4a41495f9c4a13f433e8b72ef5d5de2743c0d3a9bc5db18cb21f5126f

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
11KB

MD5
453ca8b6341cb212c76dc6d0b07b785d

SHA1
245db1b1f8955bab8524f52f7569029e55f5716b

SHA256
a98e7889670d89fd9c647be4140a5b793c5da538ec063914da781f5d1b2adf3c

SHA512
31ff828424add0c442f019a5c14caaddfbad50977edeb08e3254b32ffb36f21c3a410333ed07a714ca0d5691b39c3053cbac1cacd7aab57202e5c8bee0f67dfa

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
2KB

MD5
1fa18bbc813f645613f2f053540af6a5

SHA1
731c60720aef5806bdcfba7b314e2b2791b0f5c9

SHA256
d2cc767d18076e6d24b9d117dbe77e5f3caf52e0a774eb006bc334b371382806

SHA512
0d14dde45333434a39ca1390c8ebf7e9d0e7e29e4a0d7761a45ef95fcd39e1b505409779596dd0a5b671feea35229b624fd4bd682fd77f74a7ac7646caf5223d

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
2KB

MD5
d45457697be70f0af7bc871c8313f17c

SHA1
c659054d16f2f8f7579cc967562bae57beec0c6e

SHA256
153ea1536aa1659a21fec3aa1a4d85d5830bcdf3324c47208b0bc69c1fd71ccc

SHA512
a51d4cd0c6f824561e46b0014ed3ddea9d386bc73703a9786ef22d671636498e26dfd4bd43c5d5b1f5851ca5f3b54f1e3820cdd0a12da3e59d81d823282d71cd

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
13KB

MD5
2b864112b149191e3506695b8a3b2161

SHA1
dae4d892a5475d162977f0da995d867ffa1d6b89

SHA256
a0eb777fae654ebeaa1d404d3dcb8eb451f22972d5c5c71aff1e697f15958f7f

SHA512
b90f8748315d259f8234a31a59e9400ab9b5c2a214f45bd07b1b5997706a771df521bd953172cb6f265bfa549b53c579d4b6497339192cc2bbaab0e457294840

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
14KB

MD5
615bc40ecb8471534f3bac2260752565

SHA1
10f8508d20f9e005cf0b5cd4764fd0ad8689a714

SHA256
de02bc7d9b7c2dfb045ab13b82dc24a1b74ab536a560ac7fd0a56cf78a6053de

SHA512
2bc267fd3fd5585a9dbc181ee18b48e557df0fa5a9f7278858ddc0245667749f9130467cb2adeea7a9a2652af24c94f6ba60c9dfce7b51b777a43a9b9dc0c9ef

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
14KB

MD5
43efacb0247cddfdf6358d6161c71d18

SHA1
3a5dfb5d84d56e52c35a5c5eb2e403a6beec762e

SHA256
fae119a9466bfc9823b3308b74772744e1d78450aeb13727e623abe53e021d27

SHA512
21a61820a77f63bf5fad75d4e98d31210a80116cb40b6dc7c36eea4509f65a555176f3426b1dc3575c3cd5c9b1f67156f4c421ed5b685c764a21ce41e9f7ca65

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
6b14eb18685b93ef4f4d8d9318e571ff

SHA1
ed1b8ba398efd80d66121cfd517c49e7b1390a50

SHA256
75694840857628d32eba3e80004163c32472a7d32e453b82b2078173d2ba77de

SHA512
dd0630980678ac61f632a6e6d46ea66250c84d04e65be8ced1365d28102c8623f85a51d5532c25763988851642a2054a162583ac76c39799332ef5f24a4430cc

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
5e94a32990c7d12ce5719b30fe6bfc6d

SHA1
04c78e3244289dbe5398d389164cb4a526e7f9d9

SHA256
af82964f37da5724ee028c50ab66ff2386c475dfdc07a5789f1ec6de929c239f

SHA512
ddd7297624bed52e474ab227524877fe2a2ee2de904e47e62900b841a0ce6732b5cceba430b79631af6cabc0832076326c5a5bc60835be28d5215a76c0285109

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
15330527103c500744e9bdf61c21ffbd

SHA1
e63c776666e82ecc065f84eb7e65f9a62458429f

SHA256
c55d0a82c739c8932c0f48862feaf116f5ae7aa22a0011aa7126375b5347093f

SHA512
ef04573a350ff52474466d10c278eb696048a6f6b152c9781f181327678e8744d9c30f8dca5a5aa23554fa615677ef5ddf99f12e46ae47173d353efbe0d070d3

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
0228a1a2855feaa63cae7721fea33ab0

SHA1
662b07b0ac596270383d00c634733c1eb7a7ddb6

SHA256
a5728b8456ea42e5343d1314f8df10a1f75871e79905208b95da9b9ca58e355f

SHA512
9e32e8b8ca10e580962c55b37127560df1d760692c488b043932f58801eaffb0d7d39ba2e4c29426257e3684aeefb708caa866d802946f135bbbcbe046ae9d7b

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
3KB

MD5
30db81e16e55e78e408cb2ceb0a87a7c

SHA1
91a12e28579bb1fa7919cfd601d5b8f402464900

SHA256
cd4988a15eb84de08c43a4085aae2417b3d3930d0cff4024f6c9ddc81e330320

SHA512
cfe02fd5c2290069caee99c2912f6a5e8ecaf1c9cca927490be122526a4574da68846d050bc10cfd308b11733f98a4987a6d64c7c11b6e37aaa79a78f736aeff

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
3KB

MD5
c503093865800c0688892beb81498fdc

SHA1
8f4c99323089d7632b4eb209929d8a2bbf89ecc8

SHA256
37c867de4c1c32e2ef508fb1e3580a3f76f7430d1d26b127f699992c4da8b043

SHA512
2d463832030d4d4eb5573e343d3d9cc5b4f0cf9d8de7e5caa483e211fd936ae4ce717af6bbb55c0ccbb090505992a0fc747c0542d31dabc481bc59610aeb3c9d

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
5e42f0ce2121d2aa865368500a048853

SHA1
7ad3abd8b8b870280f6e9ea0280c99a7f90da4cf

SHA256
c54e88f8b5944331ec07e8eee46079d6400c4d68a79ba971592fe7e4aa1a80ee

SHA512
6542699f8e49d7d4edae1dede2063e47b2f2991e9c7cc590dd40ae49da076731635696df8d3b5487913394bd60685822380a21001907c6042eb489d2b4300031

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
2ffce0762b474d63d493b6a5bedbe5c8

SHA1
2c9a5452f21a5610a5acc1f77e5ed434e384ed4c

SHA256
867b2d588446bc0fcb8e68bc08a16d23f2b38c223ce77b0c44e895d288acf6e8

SHA512
49af922ccb2e855bc014bc38bb65fdf031a0e1d4fdfa590528d4673efe9eee07f364ea0cd4b98a0c32a192e8145f678829c5f28419f57f7cce5469944fa6eb10

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
ceed1cb81f93dd7de620c469e49195f1

SHA1
2898bfad2f222d534207f78e7fedb1e92d59b9b5

SHA256
9469f597d7a11cc368bc4fe66fafaf9b8e8ad237e51527c3cea9003dc90f98f3

SHA512
50f5358de0f07aa6aabc8666695238594dc084925ce0a79f8825967f7637711aeefc095712399f1b597a361a208bc15334dd8615d4f2521cb7a1c6299368b3e8

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
5dbaa3c2e4d673c40ae075131091bb5d

SHA1
7a1ac75665c70a94d911c38943150c51378d2567

SHA256
a1d53526e35b68d65d581dd3224b7bf5672b86bb99717e495a20f4ea6440e97d

SHA512
594e99b68073f89894f00d557ecd25dd7dc2e039652640ed454abbb0a4a495784cc57a4067c196a8b992f9017734182451d74ffe29ac30728cf92f0a99e5f1fd

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
35673319c73a40c9a23258b42bc67514

SHA1
a5d976c3bf90985b5c6efc9fc7b4833a7cb393bf

SHA256
4711438ffc2b34db6460f7e8eb52dc71be4a4660d1392072e8936f2a0d8ebbc2

SHA512
ddeccfe0fcf204a5b4715a3dec1e3069627e2670900b6c33d192465316ad95495215ffa4c1d192bea344703b9b77f9c704c6384790ace2043582bd35cd654a0b

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
5a9e1edc26b4b50194c69eedcc859617

SHA1
165fb9395277fb0d0f555cfd80774d1dc89db9c8

SHA256
930a2d9ed8f4a4b0d6e8b9e25610c42c08a6d2e4658452908fa0b0e51281cf69

SHA512
dd1761db227b5a0e7b2280ccb935191c5bcc032d0d3d054008aa996b17a7ecb6952d9ffaead1e97fa871c462414d98e992d3220ebdea44c31574a2daf0cb45f4

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
897742e0f5d39c773ff1a2413d761b3a

SHA1
04e7f1198b238f36496434e8d73cd5f26a311584

SHA256
cbe151ce821c02bed8171f8968be6687c1799993b65a841fce3fa686319e5c39

SHA512
b107378697a38688d2eedb9dd12ad4a5da968642597dd212bcdfcfaa7b644728ac194b20735313fac457c512329c544fbad4f077fcdb6a4822a301fc8f93dc28

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
ea4ce505b70c935d06f5f17643b90891

SHA1
79743227627af0f27de8972c25f6795949386374

SHA256
b2d6d1761200ab0fd701197f96ea830fe4f069e1f44a33d16c8f00099582004c

SHA512
8f908f8ae48f146f3c2bc9e2a191406f149e8f621b277cb565d426f1e80fcc513e7da7d0d0997659b00854f0a4c72dfb53104bfc1d3cadb1639c128f7d5b96e5

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
8035d792c6ec22becbf4b3c1bcdf8d25

SHA1
a9dc354de6c90ee7c77c9c8fca30b577287e5321

SHA256
27fd5082bfa47c0f1f68282722c0e0835f77d1fb64a6b3dfb4a85ef17d9c6e65

SHA512
4a53cf8efcd7b7639728c267109844a203748001001b61fc6d3c5c879cf59ba5bdaa32825aa93dc92c35777f9b8831736e9dc597991f11bb2fc6cafefd079e56

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
8f928c94ecf62912d54e64fc3bfc7f98

SHA1
e94ab9c540c2ec1a16f752e43b10874d0d257539

SHA256
8274cd883cdb31465a45d061c868980387e66d868ba308f5ddffa9fbb0443575

SHA512
863656e360ad4289ddfc723d03404f243b30b0a27ac9a67eadb7af246b4f218d2b77e988555df51e533b056500cb1c6c11514b873ea34e504e48d41191be6ef3

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
4KB

MD5
80216a0aa43b629fb4d36ebb4a557616

SHA1
2b0cddcb9ecf4cfce92287b791b6272909f64c23

SHA256
e23af748f46118105946859b5adb6ec145ee50ff35f0d7d72f8e7467a2cd3b7e

SHA512
01df5ccaec4d68ecb5dda8469523bed493f33e50728c4173ef034f5ae353b34a12e794fa8b9dced67ff7653de5abbb87c906e24cf33e554c2204958ed902f9fb

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
4KB

MD5
83e77417b4a421de9b0a582e153c9ecb

SHA1
dbefb1561875ffd0ddf65d40443113a8acfda11e

SHA256
d40d30097b16656ea2bd302dade0ccd3a6cc201d7e178476bff03ad1ad5264e5

SHA512
c0d0eaf8bcb07fc23c30fa0b20ae022440c0ed7d7b4f5c5523bfa2a9ffa8115b3ce1a9038e3b6171b138a360316540d71995147752124ce1d24e779938303dda

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
7e9dfb449621ca62e3507fd1602e84d2

SHA1
8b295995cc9665901f0f17dd448a3c576630337a

SHA256
7d143972f5f126ae3d28343ce1b97d7bc8a19759e8722da3e98268b777e0e862

SHA512
3c15a1be4558ce7c1402e7889d79dba412f77401e76f4b4d8918e97ade6394d6e465d3dce57d63f7eff94df24e58fc302f7efba40fa66061e1668ceb52ec8c1e

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
a30095e13cc173abf410fd1a70a2d777

SHA1
ce118e3d3fad2349764f61fe2f4cb57e8ab2f729

SHA256
37c411167e8025aff32f88efe598502c063c28c1d09102e8e4c7a9f6efd84a22

SHA512
1244cb2a7c4aa11895899e233e27d10d2f5d8f6afd8f58e777e03c861dc0f39c4abba6d0fac4499a9d5839e80d4fb5009213c86958d2f1a3e117c16f5b785e4e

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
f0903d89a94e37718abceb479cb4af21

SHA1
178fc7ade8833400c06311f888a1d6b768a55c6d

SHA256
8a7e3dca56d712c61a8ea385ca0e41766edcd20926321933af121395a5eae6b9

SHA512
07ff6d33f76573ca20f6cb9e4110b42b39505fb871cf5cd423977fe0e201c518be97fdeac28d67c821da57f54576de411cdc142ed8c3f6e775f15d2708eb4cbf

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
3480cbb7456e0c6d55eb15bbbb646935

SHA1
e007fe5b0899a71d063176b469aec26f6da9028a

SHA256
af2a09d75fb4b1e88574694e70728502c7974bfbabd4c1ddc3996ecec18485af

SHA512
f8faef1fbed13438db35766f58d63d74ea00b369d6857085c0970e982871934ff526b548bef0e34bc5d0353535382df800041e2337d74c69104a67e43ac6d839

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
b7ecabdc4455f2959270d15d456f768f

SHA1
50ba608b36eadcdd6db363f514eb85bc3685d6e0

SHA256
fe16a18bea7be9ad82e08311d3a13994cf9d55d5bf744dc1732282bce71c6e3c

SHA512
a2861d0d2fe3fa6f589c6a578e9e70b5049b725ac396d623ddcd65b74ef6acf08de8ddfb91f7c35cd81553d6f2528da3d49749984fae8aa94f042e47556ad0a7

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
78a14aae4004ef33624edc60f6a3f634

SHA1
9194917510cf10df6a7b75d897a0ef9f9fa3b0e4

SHA256
6b077a0c5063b3aeda27bbcdcb9bebb34dea4cefb9c12df7d303a2788a897b14

SHA512
bc27f61ba896ff4daf9008ca6699ca6e1d579d51a3d231fb7b15010e690c86993267cc4704b13ecd45af6432b5b8819519948fc12c375f4e94f15687276e3828

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
52330856edf515f4a9113d81b1544f94

SHA1
10b338b63608fa7d9c91b9d57a2af27d92e658cd

SHA256
de7fd9e388541bdcad75ed579f6d03871265d1a9e14d00c01f200dbef3f78588

SHA512
d286bbd1ae42b7f6c079abdcc7936b92fa12354524aacaf7b588c4d5c84ab5c1af53b94d972cb4617d9f655090e44f8561010fe25856b2502bbf0ce602c906f2

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
af3894c9a37fa0ff140b25f35deed72f

SHA1
0bee8c513e98b57a93ae8c1fd413d5840f9743c1

SHA256
1d2cf8b6cce63f51bb4b5796c36fb668ce6aed38f0ed240b1472499ce28b2b3d

SHA512
4bc05c1022fe1b0bc608012de6f9ceb4c0bccdacf1ca01bf8f570d8ebc688fc6b4a83c504ba57e2dbfee4d1e010b52bed7624e7b9fa3b9eee6726bea02605dab

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
3703e26eac0287962454070e01c91746

SHA1
2ee2906d4658c969aade65f1867a3d1718fe8d38

SHA256
01b2ffddfc2f5e43eb02d527c4cfcaa5628d799b1a3430ebac8d360e900ffd7d

SHA512
5aef0720e27ff79cb5ae0bc6b889dd53977c84a67a83af84d9388248bc2eb0dc5c8b487f95abd9a76802db849316f6923534f2b1f184e2b75eb08eef700b7955

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
f74a23ffdd25ec2754f341c1e5eb0e05

SHA1
97d68723c4105d0f623209fe24ca0c159eb9eeaa

SHA256
ccddc4ff177d204d0d73f1de6e329cf01353e45b5a2418681cfde889b8dd724a

SHA512
816f18c96f7006fea2b99c402ee4438e8414b392b4c2926676f17d6fb241a46ef32ad5324cefebc09be138a3733626eec8a714a6f25bb89a88e3625e337ac095

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
5KB

MD5
99c776610a7360847e54f033a643a3db

SHA1
754bf8af93028b893de69540a052cca391e9c8bc

SHA256
7d818d52ce752621e2776b817058f5e9df74f3b329132b39395b3495ec4ff51e

SHA512
21eb761bda0767faeb0a84d7d64b69fba4bc0b794d385a43857dac7385c22e58a1d317c9411ecd822a91ac16aacff46648537ab146418217a39a643e0cfe9a89

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
85e0bf5ab553c248ad12bdca0f6ba3de

SHA1
12eb0708434a0dff1e6cfa45f0ae554d76b841f1

SHA256
e80af6d2735614d95f8a248796425b6ddf2d4672a0c69f08877143b0fbce5aaf

SHA512
616b085ca41b868f5969412245a371555b316d27b35421fa8085057592920ca5f78bd446f2195eb4f7fac9914f5917f8e63116faa094a2674aa44a64e65d3304

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
d5e4821f12ed7a3434b19a27381ee8fe

SHA1
6daab4f2218d083a6d6622ba52001e4e2a5f5612

SHA256
91a4cba069e0419188fcee984822577512c03fa7f5246b6e61928f7b60cfd72c

SHA512
57c79f6c854ee45477c01c230a6ec56172c1e73ffa7e943a1152c0446ddcc988db195fd4155446e44ea996e5e83def13b53ae1510cecfcb5154409a0549d9e8e

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
493c1303684420b2380e620e751be5a1

SHA1
9726a73a31e8f0bc01dab6303652acefadd85f8e

SHA256
360ef2b69f581609dd9710960bf7079bc217b6e14a17c39591938b5c6bf631cc

SHA512
20118fc0e5b84171cb38f03b0c7a26dc7e12f8d36184c0035a969a24fb6746154bb65bbeb65a1d7bc6860c6e7f75aca7b0a071c4c0fb8521400fa2e17ab08407

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
60dc14c4dcdfaebbb4eb5846a68b690a

SHA1
f550e4ef9ec40b50c308a4b162a37f8c5a80bd76

SHA256
7025db21d94d1e6b152ebe1ba8fea77e3b33156e10774cef6f8bb1a73405ac32

SHA512
179beb4b907f25a3437d88853a0159b283634f28455df85c8cc5273082d76158e12d30b9dc31ca48bf5f4da68d06ece6451d633e3773f7c4e3e2e987249e48a9

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
6ea22a6b4540a54237553fdef3ce8125

SHA1
e9dd60f999aaedb70701081dfecb0f86ba0a6e19

SHA256
d4d9e14915329a5b4b92d375c1985f3e2dc3844694fcda60b2018cd089ca4806

SHA512
59fbe5819da0896cac28d2a8a113a4b33b4e5a566874e02955800a108635d8c91bf1dd00f8528df71745379344104b91d21cf2776ec173add17fbc29132b1a8c

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
3b3bc988879574286bcd4d59e03f77a9

SHA1
284cff0453c940d4f5473d9e59573c8f03f66272

SHA256
75f6e9925cfe08378c0c7af9c4e3b0e9827ce5135a181241c85aeb4fc684f089

SHA512
d06263e3d094019d5c1f9a7260ab29518c6c89c9dde4f5926c6d83fbeceabab7fe46cca69a1feabf69201956f3159b3501136116c4bf47d2227d23a67240b4fa

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
a73d5ba39b8f388d3d9d026284e6ce64

SHA1
3e2bfb1f6c71ac0622de17f7e0caf54dee820971

SHA256
2210ab7e1b010bb578a3970f0444a88fcc73537b9a7b1f858f04e3bfa0cd4efd

SHA512
92d3b0a776d486f363473600464505f7a8d274ae15be9bffa7df90b32891baef3f0f479741ceb850a1f14ce0c08bf3509999481e6dcf282c5005ac07b3fd5982

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
5443862803c44fbb0f96ec2a362b7245

SHA1
bb7988ebe0919852e328a61f001b994252489714

SHA256
52c2e8b3d4d5366a596f264983ab7bcd416fe8322c6981c365f7689e424eb5f9

SHA512
43aa15549a851a8e76db957dfb1d0d48b0f2cff0d1f43b26962397e60977d11ad329d453df1f7ca15c62c100fbab0c0b71436ae139b59f7a2c221808c70f10b6

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
2e34489472edae15891b72aa27753ec8

SHA1
9ceb7bcebb5630f5bba08b751bb235b78c36b82d

SHA256
d5fb679ccb6d262b83963640f187a47143e4a7acac9f8d99c7fc5360e8ca90ab

SHA512
982241cb329fb9f1a18515f0f526399a5478390e05eb3f7ccaa048e4ddad05f8fa9b3d16bb8ea8cd8ca2f9d82a181648a7df71119ec523afed190c6554e5d099

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
15KB

MD5
361dea069b37393f628550bc225d0cfa

SHA1
f3b7b8151e33853311124ed42e72834f5f098ba5

SHA256
9de8036b3fc14195a34286a7fae16361ef93edbc27cf10cef995bab5e4bdd093

SHA512
62b2bacb9aef1ff3d4b6a54d382ebb74d65647e7a58c2afc1f1c4782c2b1d4ddf7fac751c18cdafd81e70b44b66926713ebdcc27b6eb1b8e281dbb734392a738

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
5KB

MD5
dcb1e58f53a3049316885e1327897fc7

SHA1
b2d14c44f18f8621ad8fe9808afbcb0a9a4a852b

SHA256
6f7dc82a26af6ea62ce46186a2a5ceaa5ed23faa3351739bc70de4a3d7761576

SHA512
9dd5971c7666efbcfdf44663ae98458f56448b8740098baeabdfa59494d7a7920cccf9a232990e6ae8b87468ab08b5ac6c8a7e98d03fd927e0fca4fec198bbce

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
6KB

MD5
58a04c5171bb2c818fd6baaf23f8de7f

SHA1
de391e0b2fab2cabfa0f7468a130314076edacda

SHA256
641bdcf319496c585d7a954cef6fbf319faebb3049256aa2b533ad2ef6d2d559

SHA512
9c503287a32d41bc8331643da03bdd40ee7d6c529598393a54951091a0ca38f0b8b8f4cf813d5b074048cdc62d0f59b8936f83bbd77f3c5504642ef54ecd3ffb

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
6KB

MD5
f87a9fd85d8059df8b7445b85850cd3d

SHA1
c3cc77da711e4f1543cb751e0e3ee2011dd1528e

SHA256
2ab0be72b798dad23b4357a3d0fe908b5772539111336c4e5754052fdca8bcfb

SHA512
82186aeafeebb161a5a13b519321fa29e5328e4947e9a824d95122589ebd221fa33a9a823c6b48d1762317222c003c521d348f34344d5c91d610aa0bff072ebd

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
7KB

MD5
5c1ae7a856bb274ab52db1ea7248c2e0

SHA1
43ad23f78f946eb0709c4571eb0bb8dd7272788e

SHA256
0fb93ed8cf736f72105b884f6f2ca5d69078263376326d325f2ae19fa1d6ae0b

SHA512
3df4fa53fb43ffbda57da21b08620ad5d7b08f0e2fd9417a1ce4a818bb3c5e289335cde717d793f303e24c948bdb7129c6331c64ce06d769d154ecc44871af04

Download Submit
C:\Windows\Fonts\gemobnd.fon

Filesize
7KB

MD5
eaefe573846b1b291a9b7883b39be0ee

SHA1
5820535a954a98eff75c185611cbe4f3e4ef9e6e

SHA256
ed5dd5c4708f5322680d7a3fd7af9d1ad64cafcb5c3c9961f1c6fa4bd3668530

SHA512
ea90a302b70e08b7e273eb93df9eb47a61785f2ad99ae6241056a005aa4a5a53ac449ec93209f1b061cf471ee727523e84a4085cdf84ed9f48250fd9321bc7ba

Download Submit
C:\Windows\Fonts\rsmyjfgb.dll

Filesize
271B

MD5
a40f8af1441fc72616734761c3e9d130

SHA1
bf9683a61449ec11fb67bbc280f30a442495d1ea

SHA256
70c962daea57016db3e75ed6dbda8494f6bbaefa47130ab1da81bf5e3724234b

SHA512
60323e7c3f9b4d78f775b11d54f6baae99334af3ff8319198c89b50c79b5c9ecb4c0df35edba1ea33bfaed6cbedd20cd436615b48f1c204452cd8c14d757221d

Download Submit
C:\Windows\SysWOW64\rsmyjpm.dll

Filesize
515KB

MD5
f265bf91789cebb94da0b07934cb3cbb

SHA1
e4631899e2c94a024bcd5bf6cd94f5330942eeb7

SHA256
634795f5fafec4167c9d02421b98ab74014a2fe47835d78a61b04d029c34f22d

SHA512
443f88ebdfd0b99d3b24a7560677a0c5b95e3a1332cd31073c0b99592328a12d501239e1113c3e1cdcd97b815e0e81a40ebc9ee0da35c484b4d71efb1c0429e8

Download Submit
C:\Windows\SysWOW64\rsmyjpm.dll

Filesize
515KB

MD5
049106c613f04d43b7ac049ba4efb11e

SHA1
b8fb38c86a02898a74b677b66b81786d80587f5b

SHA256
0c509f4ffb14bc07d805a6b9fde92fab72423f067ac72d4454edfed323f01d38

SHA512
672e2bc5e3c9871b488d3cf3a68c118e0e3ad1a961ba0216abf29166cdb13773a18ca627cfe60bc7e6342394632e64fbe7437c31e2ed6f79fe0b4e03b81d4506

Download Submit
C:\Windows\SysWOW64\rsmyjpm.dll

Filesize
515KB

MD5
e44743f1ea7ef6c38c68faf21c59ed04

SHA1
dfc371cd4113db25d5aab8e832f868afa40f0284

SHA256
0dc8818d667c8977db52c4c1bbeb4c6aca346c1be282b2b877bbe57a2069d7bc

SHA512
9dcda56e14871201a344461ae62869f20efe76434dfdb3f4e1365aa46c2574f6fed4d36234672c3bfe0ea9888dee79252c39df5c309d53e290cf423db12c2699

Download Submit
C:\Windows\SysWOW64\rsmyjpm.dll

Filesize
515KB

MD5
48a3bf4417656e8f35f2c69735084c13

SHA1
fc62ddf5708ff5d5c149b8a022a6fc4a1ec19088

SHA256
58f7a769edbaf337e2e9b9f38f4019854dc325fefb86ecd355cd33b1553d4480

SHA512
7d551fc5d9ad7b2a701d3c2901244eb4dfedf125dfd29fe6c81690885a6ab574adf8d5b79b5e037ead186cd4029b4c426989eee0a05caa05e9484c90fdb75664

Download Submit
C:\Windows\SysWOW64\rsmyjpm.dll

Filesize
515KB

MD5
5ba628be60a0c94236d450435f8c7c59

SHA1
de19808d0034e1a3091efdb1fb5dcaf21898196e

SHA256
80d1e4317543237e787d6570922b7b4deeac8c61ea9abcf32e6a1e19ca73d0c7

SHA512
17eddb30becef95ee82a276394f301fcf6e4e61eeb517a171905300c4772be7d1e54b3a948c953d50d6e8dad1b6ac26d74e8777ff3e1fddea97382f2fd8d837c

Download Submit
C:\Windows\SysWOW64\rsmyjpm.dll

Filesize
27KB

MD5
4c63e46c715fa2ddaedaf5dc85afcb58

SHA1
cad7a81778f32e92f7e47dbda32548a29c028482

SHA256
b30edebc60e3b67a320ffdd17befbe049be9502079a608e82155f3d854ce58fe

SHA512
af0a85a4041c0d920ff83cea6891dfd8e580d3799f5e3859ddf86fd0c406ce0ca1d9267f80e5754f38b32aef65c8ced444154f2ad88d764125d8d5e9446e9fbe

Download Submit
\Windows\SysWOW64\rsmyjsp.exe

Filesize
27KB

MD5
220629ad845cc68f42dcaa831231127f

SHA1
c0a76703408638bed3e939ba4b19824d83e19559

SHA256
4359604c646ede115a9ef8451d7e35da22ab1a148e73bdbef17f3a075b4c2745

SHA512
2a9b4df145c3eefb3a24f2663de6853819fd9ebe38d8c39a186d2bd9f73e62f620ab7666451e73fd2110b48d446b811b9b9050bb734b89307f051765d9eea2d2

Download Submit
memory/388-4259-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/388-2113-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/588-24520-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/672-6387-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/672-4222-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/672-6386-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/1792-15884-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/1792-15883-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/1792-20282-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/1792-20280-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/2072-15885-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2320-1034-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/2320-1033-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/2320-4220-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2320-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2320-4225-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/2320-4224-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/2516-20156-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2676-14820-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2676-10585-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2908-20155-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2908-14821-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2932-8482-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2932-8483-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2932-13758-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2932-13757-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2948-11639-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/3528-16949-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/3528-16950-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/3528-21237-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/3528-21253-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/3716-5303-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/3716-3149-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/3716-5338-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/4216-5341-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/4216-3179-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/4216-3180-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/4216-5342-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/4216-3152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4224-1055-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/4224-1035-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4404-21252-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/4504-4258-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/4504-2089-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/4504-4257-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/4504-2090-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/4756-13759-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/4756-18025-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/4912-11641-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/4912-6388-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/4912-6389-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/4912-11640-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/4920-16951-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/4920-12699-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/5596-13760-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/5596-9533-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/5840-23427-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/5840-23426-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/5884-4255-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/6168-24519-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/6348-22336-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/6348-22334-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/6352-18017-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/6352-22335-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download