cab376dba17f99ab31a0eda48dc13c278d356b21a47cffb5dbfaa6856ad65b34

Analysis

max time kernel
62s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2e96de70e518631646a16154cd2dab8.exe
Size

80KB
MD5

c2e96de70e518631646a16154cd2dab8
SHA1

899de7a75187996ecc2e1cbe58c38c010dd57692
SHA256

cab376dba17f99ab31a0eda48dc13c278d356b21a47cffb5dbfaa6856ad65b34
SHA512

76b99bce1475eee6410a567f1376feb814f0e2f1cf16b4dc479562ec1a1e17f692a4c0c8d09298346741d78cdec5452640f898cbb6ddb749dab4fb4ed066be2c
SSDEEP

768:cDI8ys6q0TMm1zJHZ+GaBb2Vxit/vqJevfoJ6DVSLKvomVWdXW7X4sn:cDk1zH3cHBb2VxUcpKVSLChVWdXi

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
40	1468	sihclient.exe
44	1468	sihclient.exe
46	1468	sihclient.exe
50	1468	sihclient.exe

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	c2e96de70e518631646a16154cd2dab8.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	v6msn.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	c2e96de70e518631646a16154cd2dab8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	v6msn.exe

Executes dropped EXE 64 IoCs

pid	Process
3044	v6msn.exe
2968	v6msn.exe
3096	v6msn.exe
1624	v6msn.exe
4112	v6msn.exe
3032	v6msn.exe
324	v6msn.exe
3584	v6msn.exe
1996	v6msn.exe
1256	v6msn.exe
2756	v6msn.exe
4988	v6msn.exe
2156	v6msn.exe
2252	v6msn.exe
2292	v6msn.exe
1416	v6msn.exe
2220	v6msn.exe
3468	v6msn.exe
960	v6msn.exe
4092	v6msn.exe
2156	v6msn.exe
2372	v6msn.exe
2872	v6msn.exe
2008	v6msn.exe
2688	v6msn.exe
1680	v6msn.exe
772	v6msn.exe
3660	v6msn.exe
3788	v6msn.exe
2872	v6msn.exe
5048	v6msn.exe
1472	v6msn.exe
3204	v6msn.exe
5012	v6msn.exe
1524	v6msn.exe
3188	v6msn.exe
1964	v6msn.exe
2896	v6msn.exe
4928	v6msn.exe
3448	v6msn.exe
2380	v6msn.exe
1524	v6msn.exe
4708	v6msn.exe
4512	v6msn.exe
772	v6msn.exe
1700	v6msn.exe
1480	v6msn.exe
4508	v6msn.exe
1972	v6msn.exe
1344	v6msn.exe
4616	v6msn.exe
772	v6msn.exe
668	v6msn.exe
2396	v6msn.exe
3608	v6msn.exe
4984	v6msn.exe
2576	v6msn.exe
2536	v6msn.exe
4308	v6msn.exe
4856	v6msn.exe
1944	v6msn.exe
3788	v6msn.exe
2484	v6msn.exe
4288	v6msn.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	c2e96de70e518631646a16154cd2dab8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe"	v6msn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	c2e96de70e518631646a16154cd2dab8.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File created	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	c2e96de70e518631646a16154cd2dab8.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe
File opened for modification	C:\Windows\SysWOW64\v6msn.exe	v6msn.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 5060 set thread context of 4864	5060	c2e96de70e518631646a16154cd2dab8.exe	87
PID 3044 set thread context of 2968	3044	v6msn.exe	96
PID 3096 set thread context of 1624	3096	v6msn.exe	110
PID 4112 set thread context of 3032	4112	v6msn.exe	125
PID 324 set thread context of 3584	324	v6msn.exe	135
PID 1996 set thread context of 1256	1996	v6msn.exe	145
PID 2756 set thread context of 4988	2756	v6msn.exe	157
PID 2156 set thread context of 2252	2156	v6msn.exe	169
PID 2292 set thread context of 1416	2292	v6msn.exe	184
PID 2220 set thread context of 3468	2220	v6msn.exe	193
PID 960 set thread context of 4092	960	v6msn.exe	206
PID 2156 set thread context of 2372	2156	v6msn.exe	217
PID 2872 set thread context of 2008	2872	v6msn.exe	230
PID 2688 set thread context of 1680	2688	v6msn.exe	246
PID 772 set thread context of 3660	772	v6msn.exe	256
PID 3788 set thread context of 2872	3788	v6msn.exe	272
PID 5048 set thread context of 1472	5048	v6msn.exe	285
PID 3204 set thread context of 5012	3204	v6msn.exe	383
PID 1524 set thread context of 3188	1524	v6msn.exe	306
PID 1964 set thread context of 2896	1964	v6msn.exe	318
PID 4928 set thread context of 3448	4928	v6msn.exe	579
PID 2380 set thread context of 1524	2380	v6msn.exe	346
PID 4708 set thread context of 4512	4708	v6msn.exe	355
PID 772 set thread context of 1700	772	v6msn.exe	371
PID 1480 set thread context of 4508	1480	v6msn.exe	375
PID 1972 set thread context of 1344	1972	v6msn.exe	392
PID 4616 set thread context of 772	4616	v6msn.exe	775
PID 668 set thread context of 2396	668	v6msn.exe	417
PID 3608 set thread context of 4984	3608	v6msn.exe	888
PID 2576 set thread context of 2536	2576	v6msn.exe	442
PID 4308 set thread context of 4856	4308	v6msn.exe	616
PID 1944 set thread context of 3788	1944	v6msn.exe	517
PID 2484 set thread context of 4288	2484	v6msn.exe	843
PID 1092 set thread context of 1396	1092	v6msn.exe	962
PID 3236 set thread context of 3608	3236	v6msn.exe	505
PID 1972 set thread context of 2512	1972	v6msn.exe	516
PID 516 set thread context of 1308	516	v6msn.exe	525
PID 4424 set thread context of 3036	4424	v6msn.exe	538
PID 3056 set thread context of 1188	3056	v6msn.exe	1075
PID 1488 set thread context of 1540	1488	v6msn.exe	562
PID 1904 set thread context of 4284	1904	v6msn.exe	707
PID 3448 set thread context of 4232	3448	v6msn.exe	589
PID 2484 set thread context of 5048	2484	v6msn.exe	1180
PID 3628 set thread context of 4348	3628	v6msn.exe	613
PID 1284 set thread context of 5076	1284	v6msn.exe	1363
PID 2912 set thread context of 404	2912	v6msn.exe	1049
PID 772 set thread context of 4120	772	v6msn.exe	1186
PID 3632 set thread context of 3336	3632	v6msn.exe	1257
PID 4072 set thread context of 4112	4072	v6msn.exe	670
PID 1420 set thread context of 3588	1420	v6msn.exe	1269
PID 3724 set thread context of 4620	3724	v6msn.exe	694
PID 2344 set thread context of 1724	2344	v6msn.exe	1301
PID 1756 set thread context of 2448	1756	v6msn.exe	718
PID 2424 set thread context of 324	2424	v6msn.exe	734
PID 4148 set thread context of 3644	4148	v6msn.exe	743
PID 1364 set thread context of 3344	1364	v6msn.exe	754
PID 5040 set thread context of 5032	5040	v6msn.exe	766
PID 1824 set thread context of 2016	1824	v6msn.exe	1652
PID 1492 set thread context of 2344	1492	v6msn.exe	1681
PID 320 set thread context of 3568	320	v6msn.exe	1743
PID 3592 set thread context of 4436	3592	v6msn.exe	814
PID 4504 set thread context of 2896	4504	v6msn.exe	826
PID 4036 set thread context of 3288	4036	v6msn.exe	1459
PID 4696 set thread context of 2052	4696	v6msn.exe	1866

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c2e96de70e518631646a16154cd2dab8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	v6msn.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4864	c2e96de70e518631646a16154cd2dab8.exe
Token: SeIncBasePriorityPrivilege	2968	v6msn.exe
Token: SeIncBasePriorityPrivilege	1624	v6msn.exe
Token: SeIncBasePriorityPrivilege	3032	v6msn.exe
Token: SeIncBasePriorityPrivilege	3584	v6msn.exe
Token: SeIncBasePriorityPrivilege	1256	v6msn.exe
Token: SeIncBasePriorityPrivilege	4988	v6msn.exe
Token: SeIncBasePriorityPrivilege	2252	v6msn.exe
Token: SeIncBasePriorityPrivilege	1416	v6msn.exe
Token: SeIncBasePriorityPrivilege	3468	v6msn.exe
Token: SeIncBasePriorityPrivilege	4092	v6msn.exe
Token: SeIncBasePriorityPrivilege	2372	v6msn.exe
Token: SeIncBasePriorityPrivilege	2008	v6msn.exe
Token: SeIncBasePriorityPrivilege	1680	v6msn.exe
Token: SeIncBasePriorityPrivilege	3660	v6msn.exe
Token: SeIncBasePriorityPrivilege	2872	v6msn.exe
Token: SeIncBasePriorityPrivilege	1472	v6msn.exe
Token: SeIncBasePriorityPrivilege	5012	v6msn.exe
Token: SeIncBasePriorityPrivilege	3188	v6msn.exe
Token: SeIncBasePriorityPrivilege	2896	v6msn.exe
Token: SeIncBasePriorityPrivilege	3448	v6msn.exe
Token: SeIncBasePriorityPrivilege	1524	v6msn.exe
Token: SeIncBasePriorityPrivilege	4512	v6msn.exe
Token: SeIncBasePriorityPrivilege	1700	v6msn.exe
Token: SeIncBasePriorityPrivilege	4508	v6msn.exe
Token: SeIncBasePriorityPrivilege	1344	v6msn.exe
Token: SeIncBasePriorityPrivilege	772	v6msn.exe
Token: SeIncBasePriorityPrivilege	2396	v6msn.exe
Token: SeIncBasePriorityPrivilege	4984	v6msn.exe
Token: SeIncBasePriorityPrivilege	2536	v6msn.exe
Token: SeIncBasePriorityPrivilege	4856	v6msn.exe
Token: SeIncBasePriorityPrivilege	3788	v6msn.exe
Token: SeIncBasePriorityPrivilege	4288	v6msn.exe
Token: SeIncBasePriorityPrivilege	1396	v6msn.exe
Token: SeIncBasePriorityPrivilege	3608	v6msn.exe
Token: SeIncBasePriorityPrivilege	2512	v6msn.exe
Token: SeIncBasePriorityPrivilege	1308	v6msn.exe
Token: SeIncBasePriorityPrivilege	3036	v6msn.exe
Token: SeIncBasePriorityPrivilege	1188	v6msn.exe
Token: SeIncBasePriorityPrivilege	1540	v6msn.exe
Token: SeIncBasePriorityPrivilege	4284	v6msn.exe
Token: SeIncBasePriorityPrivilege	4232	v6msn.exe
Token: SeIncBasePriorityPrivilege	5048	v6msn.exe
Token: SeIncBasePriorityPrivilege	4348	v6msn.exe
Token: SeIncBasePriorityPrivilege	5076	v6msn.exe
Token: SeIncBasePriorityPrivilege	404	v6msn.exe
Token: SeIncBasePriorityPrivilege	4120	v6msn.exe
Token: SeIncBasePriorityPrivilege	3336	v6msn.exe
Token: SeIncBasePriorityPrivilege	4112	v6msn.exe
Token: SeIncBasePriorityPrivilege	3588	v6msn.exe
Token: SeIncBasePriorityPrivilege	4620	v6msn.exe
Token: SeIncBasePriorityPrivilege	1724	v6msn.exe
Token: SeIncBasePriorityPrivilege	2448	v6msn.exe
Token: SeIncBasePriorityPrivilege	324	v6msn.exe
Token: SeIncBasePriorityPrivilege	3644	v6msn.exe
Token: SeIncBasePriorityPrivilege	3344	v6msn.exe
Token: SeIncBasePriorityPrivilege	5032	v6msn.exe
Token: SeIncBasePriorityPrivilege	2016	v6msn.exe
Token: SeIncBasePriorityPrivilege	2344	v6msn.exe
Token: SeIncBasePriorityPrivilege	3568	v6msn.exe
Token: SeIncBasePriorityPrivilege	4436	v6msn.exe
Token: SeIncBasePriorityPrivilege	2896	v6msn.exe
Token: SeIncBasePriorityPrivilege	3288	v6msn.exe
Token: SeIncBasePriorityPrivilege	2052	v6msn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 4864	5060	c2e96de70e518631646a16154cd2dab8.exe	87
PID 5060 wrote to memory of 4864	5060	c2e96de70e518631646a16154cd2dab8.exe	87
PID 5060 wrote to memory of 4864	5060	c2e96de70e518631646a16154cd2dab8.exe	87
PID 5060 wrote to memory of 4864	5060	c2e96de70e518631646a16154cd2dab8.exe	87
PID 5060 wrote to memory of 4864	5060	c2e96de70e518631646a16154cd2dab8.exe	87
PID 5060 wrote to memory of 4864	5060	c2e96de70e518631646a16154cd2dab8.exe	87
PID 5060 wrote to memory of 4864	5060	c2e96de70e518631646a16154cd2dab8.exe	87
PID 5060 wrote to memory of 4864	5060	c2e96de70e518631646a16154cd2dab8.exe	87
PID 5060 wrote to memory of 4864	5060	c2e96de70e518631646a16154cd2dab8.exe	87
PID 4864 wrote to memory of 3044	4864	c2e96de70e518631646a16154cd2dab8.exe	91
PID 4864 wrote to memory of 3044	4864	c2e96de70e518631646a16154cd2dab8.exe	91
PID 4864 wrote to memory of 3044	4864	c2e96de70e518631646a16154cd2dab8.exe	91
PID 4864 wrote to memory of 4772	4864	c2e96de70e518631646a16154cd2dab8.exe	92
PID 4864 wrote to memory of 4772	4864	c2e96de70e518631646a16154cd2dab8.exe	92
PID 4864 wrote to memory of 4772	4864	c2e96de70e518631646a16154cd2dab8.exe	92
PID 4864 wrote to memory of 3456	4864	c2e96de70e518631646a16154cd2dab8.exe	93
PID 4864 wrote to memory of 3456	4864	c2e96de70e518631646a16154cd2dab8.exe	93
PID 4864 wrote to memory of 3456	4864	c2e96de70e518631646a16154cd2dab8.exe	93
PID 4864 wrote to memory of 972	4864	c2e96de70e518631646a16154cd2dab8.exe	94
PID 4864 wrote to memory of 972	4864	c2e96de70e518631646a16154cd2dab8.exe	94
PID 4864 wrote to memory of 972	4864	c2e96de70e518631646a16154cd2dab8.exe	94
PID 4864 wrote to memory of 4964	4864	c2e96de70e518631646a16154cd2dab8.exe	95
PID 4864 wrote to memory of 4964	4864	c2e96de70e518631646a16154cd2dab8.exe	95
PID 4864 wrote to memory of 4964	4864	c2e96de70e518631646a16154cd2dab8.exe	95
PID 3044 wrote to memory of 2968	3044	v6msn.exe	96
PID 3044 wrote to memory of 2968	3044	v6msn.exe	96
PID 3044 wrote to memory of 2968	3044	v6msn.exe	96
PID 4864 wrote to memory of 1344	4864	c2e96de70e518631646a16154cd2dab8.exe	97
PID 4864 wrote to memory of 1344	4864	c2e96de70e518631646a16154cd2dab8.exe	97
PID 4864 wrote to memory of 1344	4864	c2e96de70e518631646a16154cd2dab8.exe	97
PID 3044 wrote to memory of 2968	3044	v6msn.exe	96
PID 3044 wrote to memory of 2968	3044	v6msn.exe	96
PID 3044 wrote to memory of 2968	3044	v6msn.exe	96
PID 3044 wrote to memory of 2968	3044	v6msn.exe	96
PID 3044 wrote to memory of 2968	3044	v6msn.exe	96
PID 3044 wrote to memory of 2968	3044	v6msn.exe	96
PID 2968 wrote to memory of 3096	2968	v6msn.exe	103
PID 2968 wrote to memory of 3096	2968	v6msn.exe	103
PID 2968 wrote to memory of 3096	2968	v6msn.exe	103
PID 2968 wrote to memory of 1584	2968	v6msn.exe	160
PID 2968 wrote to memory of 1584	2968	v6msn.exe	160
PID 2968 wrote to memory of 1584	2968	v6msn.exe	160
PID 2968 wrote to memory of 4988	2968	v6msn.exe	157
PID 2968 wrote to memory of 4988	2968	v6msn.exe	157
PID 2968 wrote to memory of 4988	2968	v6msn.exe	157
PID 2968 wrote to memory of 3952	2968	v6msn.exe	106
PID 2968 wrote to memory of 3952	2968	v6msn.exe	106
PID 2968 wrote to memory of 3952	2968	v6msn.exe	106
PID 2968 wrote to memory of 4000	2968	v6msn.exe	107
PID 2968 wrote to memory of 4000	2968	v6msn.exe	107
PID 2968 wrote to memory of 4000	2968	v6msn.exe	107
PID 2968 wrote to memory of 4980	2968	v6msn.exe	108
PID 2968 wrote to memory of 4980	2968	v6msn.exe	108
PID 2968 wrote to memory of 4980	2968	v6msn.exe	108
PID 3096 wrote to memory of 1624	3096	v6msn.exe	110
PID 3096 wrote to memory of 1624	3096	v6msn.exe	110
PID 3096 wrote to memory of 1624	3096	v6msn.exe	110
PID 3096 wrote to memory of 1624	3096	v6msn.exe	110
PID 3096 wrote to memory of 1624	3096	v6msn.exe	110
PID 3096 wrote to memory of 1624	3096	v6msn.exe	110
PID 3096 wrote to memory of 1624	3096	v6msn.exe	110
PID 3096 wrote to memory of 1624	3096	v6msn.exe	110
PID 3096 wrote to memory of 1624	3096	v6msn.exe	110
PID 1624 wrote to memory of 4112	1624	v6msn.exe	162

C:\Users\Admin\AppData\Local\Temp\c2e96de70e518631646a16154cd2dab8.exe
"C:\Users\Admin\AppData\Local\Temp\c2e96de70e518631646a16154cd2dab8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\c2e96de70e518631646a16154cd2dab8.exe
  "C:\Users\Admin\AppData\Local\Temp\c2e96de70e518631646a16154cd2dab8.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\v6msn.exe
    "C:\Windows\system32\v6msn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\v6msn.exe
      "C:\Windows\SysWOW64\v6msn.exe"
      4⤵
      Drops file in Drivers directory
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3096
      - C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        6⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4112
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        8⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:324
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        10⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1996
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        12⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2756
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        14⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2156
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        16⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2292
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        18⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2220
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        20⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:960
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        22⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2156
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        24⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2872
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        26⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2688
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        28⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:772
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        30⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3788
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        32⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5048
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        34⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3204
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        36⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1524
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        38⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1964
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        40⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4928
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        42⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2380
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        44⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4708
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:772
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        48⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1480
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        50⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1972
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        52⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4616
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        54⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:668
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        56⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3608
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        58⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2576
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        60⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4308
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        62⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1944
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        64⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2484
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        66⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:1092
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        68⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:3236
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        70⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:1972
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        72⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:516
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        74⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:4424
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        76⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:3056
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        78⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:1488
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        80⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:1904
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        82⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:3448
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        84⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:2484
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        86⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:3628
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        88⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:1284
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        90⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2912
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        92⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:772
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        94⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:3632
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        96⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:4072
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        98⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:1420
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        100⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        101⤵
        Suspicious use of SetThreadContext
        
        PID:3724
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        102⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:2344
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        104⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:1756
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        106⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:2424
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        108⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:4148
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        110⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:1364
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        112⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:5040
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        114⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:1824
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        116⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:1492
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        118⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:320
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        120⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3568
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:3592
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        122⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:4504
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        124⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        125⤵
        Suspicious use of SetThreadContext
        
        PID:4036
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        126⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:4696
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        128⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        129⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        130⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        131⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        132⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        133⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        134⤵
        
        PID:960
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        135⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        136⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        137⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        138⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        139⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        140⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        141⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        142⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        143⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        144⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        145⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        146⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        147⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        148⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        149⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        150⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        151⤵
        
        PID:620
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        152⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        153⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        154⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        155⤵
        
        PID:404
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        156⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        157⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        158⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        159⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        160⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        161⤵
        
        PID:404
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        162⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        163⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        164⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        165⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        166⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        167⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        168⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        169⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        170⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        171⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        172⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        173⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        174⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        175⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        176⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        177⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        178⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        179⤵
        
        PID:564
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        180⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        181⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        182⤵
        
        PID:652
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        183⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        184⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        185⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        186⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        187⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        188⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        189⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        190⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        191⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        192⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        193⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        194⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        195⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        196⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        197⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        198⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        199⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        200⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        201⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        202⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        203⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        204⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        205⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        206⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        207⤵
        
        PID:960
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        208⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        209⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        210⤵
        
        PID:928
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        211⤵
        
        PID:116
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        212⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        213⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        214⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        215⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        216⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        217⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        218⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        219⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        220⤵
        
        PID:912
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        221⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        222⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        223⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        224⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        225⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        226⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        227⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        228⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        229⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        230⤵
        
        PID:516
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        231⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        232⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        233⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        234⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        235⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        236⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        237⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        238⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        239⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        240⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        241⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        242⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        243⤵
        
        PID:564
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        244⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        245⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        246⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        247⤵
        
        PID:224
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        248⤵
        
        PID:368
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        249⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        250⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        251⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        252⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        253⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        254⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        255⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        256⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        257⤵
        
        PID:564
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        258⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        259⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        260⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        261⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        262⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        263⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\SysWOW64\v6msn.exe"
        264⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\v6msn.exe
        
        "C:\Windows\system32\v6msn.exe"
        265⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        265⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        265⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        263⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        263⤵
        
        PID:564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        263⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        263⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        263⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        261⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        261⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        261⤵
        
        PID:804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        261⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        261⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        259⤵
        
        PID:640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        259⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        259⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        259⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        259⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        260⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        257⤵
        
        PID:8
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        257⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        257⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        257⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        257⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        255⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        255⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        255⤵
        
        PID:396
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        255⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        255⤵
        
        PID:3788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        256⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        253⤵
        
        PID:532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        253⤵
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        254⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        253⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        253⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        253⤵
        
        PID:216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        251⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        251⤵
        
        PID:2052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        252⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        251⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        251⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        251⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        249⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        249⤵
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        250⤵
        
        PID:772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        249⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        249⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        249⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        247⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        247⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        247⤵
        
        PID:668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        247⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        247⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        245⤵
        
        PID:2404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        246⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        245⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        245⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        245⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        245⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        243⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        243⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        243⤵
        
        PID:2380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        244⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        243⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        243⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        241⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        241⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        241⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        241⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        241⤵
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        242⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        239⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        239⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        240⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        239⤵
        
        PID:668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        239⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        239⤵
        
        PID:3056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        240⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        237⤵
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        238⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        237⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        237⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        237⤵
        
        PID:2688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        238⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        237⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        235⤵
        
        PID:2424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        236⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        235⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        235⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        235⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        235⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        233⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        233⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        233⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        233⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        233⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        231⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        231⤵
        
        PID:436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        231⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        231⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        231⤵
        
        PID:216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        229⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        229⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        229⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        229⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        229⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        227⤵
        
        PID:940
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        227⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        227⤵
        
        PID:964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        227⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        227⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        225⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        225⤵
        
        PID:932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        225⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        225⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        225⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        223⤵
        
        PID:228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        223⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        223⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        223⤵
        
        PID:4284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        224⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        223⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        221⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        221⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        221⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        221⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        221⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        219⤵
        
        PID:772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        219⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        219⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        219⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        219⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        217⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        217⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        217⤵
        
        PID:2736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        218⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        217⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        218⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        217⤵
        
        PID:456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        215⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        215⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        215⤵
        
        PID:620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        215⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        215⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        213⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        213⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        213⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        213⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        213⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        211⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        211⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        211⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        211⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        211⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        209⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        209⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        209⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        209⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        209⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        207⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        207⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        207⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        207⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        207⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        205⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        205⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        205⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        205⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        205⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        203⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        203⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        203⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        203⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        203⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        201⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        201⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        201⤵
        
        PID:456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        201⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        201⤵
        
        PID:1648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        202⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        199⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        199⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        199⤵
        
        PID:224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        199⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        199⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        197⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        197⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        197⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        197⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        197⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        195⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        195⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        195⤵
        
        PID:3336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        195⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        195⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        193⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        194⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        193⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        193⤵
        
        PID:624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        194⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        193⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        193⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        191⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        191⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        191⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        191⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        191⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        189⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        189⤵
        
        PID:960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        189⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        189⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        189⤵
        
        PID:1616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        190⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        187⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        187⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        187⤵
        
        PID:804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        187⤵
        
        PID:1364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        187⤵
        
        PID:2344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        185⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        185⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        185⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        185⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        185⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        183⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        183⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        183⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        183⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        183⤵
        
        PID:1764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        184⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        181⤵
        
        PID:744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        181⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        181⤵
        
        PID:532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        181⤵
        
        PID:2008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        181⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        179⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        179⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        179⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        179⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        179⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        177⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        177⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        177⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        177⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        177⤵
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        175⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        175⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        175⤵
        
        PID:716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        175⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        175⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        173⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        173⤵
        
        PID:1952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        173⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        173⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        173⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        171⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        171⤵
        
        PID:3500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        171⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        171⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        171⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        169⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        169⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        169⤵
        
        PID:3636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        170⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        169⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        169⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        167⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        167⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        167⤵
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        167⤵
        
        PID:4800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        167⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        165⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        165⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        165⤵
        
        PID:320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        165⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        165⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        163⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        163⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        163⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        163⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        163⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        161⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        161⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        161⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        161⤵
        
        PID:3488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        161⤵
        
        PID:4124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        159⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        159⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        159⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        159⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        159⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        157⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        157⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        158⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        157⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        157⤵
        
        PID:464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        158⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        157⤵
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        158⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        155⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        155⤵
        
        PID:772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        155⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        155⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        155⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        153⤵
        
        PID:2576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        153⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        153⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        153⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        153⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        151⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        151⤵
        
        PID:1528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        151⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        151⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        151⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        149⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        149⤵
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        149⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        149⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        149⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        147⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        147⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        147⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        147⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        147⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        145⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        145⤵
        
        PID:396
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        145⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        145⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        145⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        143⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        143⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        143⤵
        
        PID:3220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        143⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        143⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        141⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        141⤵
        
        PID:2156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        141⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        141⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        141⤵
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        139⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        139⤵
        
        PID:1492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        139⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        139⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        139⤵
        
        PID:376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        137⤵
        
        PID:772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        137⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        137⤵
        
        PID:436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        137⤵
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        138⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        137⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        135⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        135⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        135⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        135⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        135⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        133⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        133⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        133⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        133⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        133⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        131⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        131⤵
        
        PID:4260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        131⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        131⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        131⤵
        
        PID:668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        129⤵
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        129⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        129⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        129⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        129⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        127⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        127⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        127⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        127⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        127⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        125⤵
        
        PID:564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        125⤵
        
        PID:4928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        125⤵
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        125⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        125⤵
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        123⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        123⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        123⤵
        
        PID:912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        123⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        123⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        121⤵
        
        PID:408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        121⤵
        
        PID:8
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        121⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        121⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        121⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        119⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        119⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        119⤵
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        119⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        119⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        117⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        117⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        117⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        117⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        117⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        115⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        115⤵
        
        PID:3448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        115⤵
        
        PID:772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        115⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        115⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        113⤵
        
        PID:8
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        113⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        113⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        113⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        113⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        111⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        111⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        111⤵
        
        PID:3508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        111⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        111⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        109⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        109⤵
        
        PID:876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        109⤵
        
        PID:3924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        109⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        109⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        107⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        107⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        107⤵
        
        PID:772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        107⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        107⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        105⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        105⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        105⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        105⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        105⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        103⤵
        
        PID:2880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        103⤵
        
        PID:3508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        103⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        103⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        103⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        101⤵
        
        PID:2544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        101⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        101⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        101⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        101⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        99⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        99⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        99⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        99⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        99⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        97⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        97⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        97⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        97⤵
        
        PID:1756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        97⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        95⤵
        
        PID:928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        95⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        95⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        95⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        95⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        93⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        93⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        93⤵
        
        PID:2840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        93⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        93⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        91⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        91⤵
        
        PID:976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        91⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        91⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        91⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        89⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        89⤵
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        89⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        89⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        89⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        87⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        87⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        87⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        87⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        87⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        85⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        85⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        85⤵
        
        PID:960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        85⤵
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        85⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        83⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        83⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        83⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        83⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        83⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        81⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        81⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        81⤵
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        81⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        81⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        79⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        79⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        79⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        79⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        79⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        77⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        77⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        77⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        77⤵
        
        PID:1496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        77⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        75⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        75⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        75⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        75⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        75⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        73⤵
        
        PID:1284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        73⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        73⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        73⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        73⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        71⤵
        
        PID:3016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        71⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        71⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        71⤵
        
        PID:1988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        71⤵
        
        PID:1992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        69⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        69⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        69⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        69⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        69⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        67⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        67⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        67⤵
        
        PID:828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        65⤵
        
        PID:960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        65⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        65⤵
        
        PID:320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        63⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        63⤵
        
        PID:3592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        63⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        61⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        61⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        61⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        59⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        59⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        59⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:4228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        57⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        57⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        57⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        55⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        55⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        55⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        
        PID:928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        53⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        53⤵
        
        PID:1468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        53⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        51⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        51⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        51⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        49⤵
        
        PID:564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        49⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        49⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:2664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        47⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        47⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        47⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        45⤵
        
        PID:8
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        45⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        45⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        43⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        43⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        43⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        41⤵
        
        PID:4664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        41⤵
        
        PID:3436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        41⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        39⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        39⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        39⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        37⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        37⤵
        
        PID:3788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        37⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:4248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        35⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        35⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        35⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        33⤵
        
        PID:1736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        33⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        33⤵
        
        PID:960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        31⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        31⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        31⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        29⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        29⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        29⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        27⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        27⤵
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        27⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        25⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        25⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        25⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        23⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        23⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        23⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        21⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        21⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        21⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        19⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        19⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        19⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        17⤵
        
        PID:2328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        17⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        17⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:2504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        15⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        15⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        15⤵
        
        PID:828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        13⤵
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        13⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        13⤵
        
        PID:1988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        11⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        11⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        11⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        9⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        9⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        9⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        7⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        7⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        7⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:1584
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:4988
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        5⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        5⤵
        
        PID:4000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
        5⤵
        
        PID:4980
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C2E96D~1.EXE > nul
    3⤵
    PID:1344

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ee3f3f4ec65e5383714ce8fc18b3c373 pbLWGFo8GESYK2RErC8UDw.0.1.0.0.0
1⤵
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4992

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv pbLWGFo8GESYK2RErC8UDw.0.2
1⤵
- Blocklisted process makes network request
PID:1468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\v6msn.exe

Filesize
80KB

MD5
c2e96de70e518631646a16154cd2dab8

SHA1
899de7a75187996ecc2e1cbe58c38c010dd57692

SHA256
cab376dba17f99ab31a0eda48dc13c278d356b21a47cffb5dbfaa6856ad65b34

SHA512
76b99bce1475eee6410a567f1376feb814f0e2f1cf16b4dc479562ec1a1e17f692a4c0c8d09298346741d78cdec5452640f898cbb6ddb749dab4fb4ed066be2c

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
a3ba37f0afdc1fd9a69f4f44cdbc26e1

SHA1
5d667022420623974407a1157933b08c52e72d2c

SHA256
6d63d07049c5eeae2802b8fd9f4294e8a4620643dca5e6c4dbe1d0c09e60a4c5

SHA512
edf6413cf88bb1b5e7e5e04cc1f786ab934f41a18abd85dc77456f282be83f828559e09727f2b97fa2a50c46c95190b610c2cf28db24bdd7112d71a4a33826e8

Download Submit
memory/324-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/324-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/516-511-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/516-502-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/668-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/668-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/772-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/772-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/772-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/772-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/960-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/960-183-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1092-476-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1944-444-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1944-453-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1972-499-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1972-490-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1972-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1972-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1996-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1996-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2156-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2156-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2156-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2156-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2220-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2220-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2380-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2380-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2484-455-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2484-465-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2576-420-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2576-429-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2688-226-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2756-123-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2756-113-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2872-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2968-51-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3044-52-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-42-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3096-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3096-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-487-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3608-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3788-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3788-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4112-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4112-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4308-441-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4308-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4424-513-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4424-523-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4708-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4708-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4864-4-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4864-1-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4864-2-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4864-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4864-3-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4928-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4928-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5048-271-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5048-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5060-6-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5060-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads