8f2b1df6121a1aad9eecd3ce05146d2777ebeb439768add2d303657c6a4e0f60

Analysis

max time kernel
31s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06-07-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe
Size

42KB
MD5

27bed2b769dc018f0f0f329d7bd7f37b
SHA1

4f5f8985fe54ebae375bee381d95173166d5ac19
SHA256

8f2b1df6121a1aad9eecd3ce05146d2777ebeb439768add2d303657c6a4e0f60
SHA512

fedd890bbcf40eb1f2cbfe34f5cc2fd244659bd3ae53f8754dbcdcc31f4d15f9cd45ab27d2598c3d7ff61bc4695d83218cdd34662299cb9d3482f0f437ef8103
SSDEEP

768:Iehi6i18f3rIrRC6zjZj0YzI64MdOpkZ8Dew70T670Sg32L:rYq6CijU/j+kS+xL

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe

Deletes itself 1 IoCs

pid	Process
2892	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
1408	nvsys86.exe
2600	nvsys86.exe
2736	nvsys86.exe
2752	nvsys86.exe
1688	nvsys86.exe
492	nvsys86.exe
2224	nvsys86.exe
2040	nvsys86.exe
1492	nvsys86.exe
2180	nvsys86.exe
1572	nvsys86.exe
2444	nvsys86.exe
2648	nvsys86.exe
2744	nvsys86.exe
1856	nvsys86.exe
580	nvsys86.exe
2096	nvsys86.exe
940	nvsys86.exe
1584	nvsys86.exe
2984	nvsys86.exe
2604	nvsys86.exe
1564	nvsys86.exe
2608	nvsys86.exe
2456	nvsys86.exe
1912	nvsys86.exe
1364	nvsys86.exe
760	nvsys86.exe
1284	nvsys86.exe
1736	nvsys86.exe
1520	nvsys86.exe
592	nvsys86.exe
3036	nvsys86.exe
2432	nvsys86.exe
2528	nvsys86.exe
2512	nvsys86.exe
2756	nvsys86.exe
1752	nvsys86.exe
1860	nvsys86.exe
2936	nvsys86.exe
1140	nvsys86.exe
2616	nvsys86.exe
2904	nvsys86.exe
1576	nvsys86.exe
2624	nvsys86.exe
2440	nvsys86.exe
2652	nvsys86.exe
2220	nvsys86.exe
948	nvsys86.exe
2876	nvsys86.exe
2396	nvsys86.exe
2016	nvsys86.exe
2164	nvsys86.exe
1732	nvsys86.exe
548	nvsys86.exe
2432	nvsys86.exe
2948	nvsys86.exe
2552	nvsys86.exe
2720	nvsys86.exe
856	nvsys86.exe
1804	nvsys86.exe
1808	nvsys86.exe
1584	nvsys86.exe
2516	nvsys86.exe
1556	nvsys86.exe

Loads dropped DLL 64 IoCs

pid	Process
2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe
2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe
1408	nvsys86.exe
2600	nvsys86.exe
2600	nvsys86.exe
2736	nvsys86.exe
2752	nvsys86.exe
2752	nvsys86.exe
492	nvsys86.exe
492	nvsys86.exe
2040	nvsys86.exe
2040	nvsys86.exe
2180	nvsys86.exe
2180	nvsys86.exe
2444	nvsys86.exe
2444	nvsys86.exe
2744	nvsys86.exe
2744	nvsys86.exe
580	nvsys86.exe
580	nvsys86.exe
940	nvsys86.exe
940	nvsys86.exe
2984	nvsys86.exe
2984	nvsys86.exe
1564	nvsys86.exe
1564	nvsys86.exe
2456	nvsys86.exe
2456	nvsys86.exe
1364	nvsys86.exe
1364	nvsys86.exe
1284	nvsys86.exe
1284	nvsys86.exe
1520	nvsys86.exe
1520	nvsys86.exe
3036	nvsys86.exe
3036	nvsys86.exe
2528	nvsys86.exe
2528	nvsys86.exe
2756	nvsys86.exe
2756	nvsys86.exe
1860	nvsys86.exe
1860	nvsys86.exe
1140	nvsys86.exe
1140	nvsys86.exe
2904	nvsys86.exe
2904	nvsys86.exe
2624	nvsys86.exe
2624	nvsys86.exe
2652	nvsys86.exe
2652	nvsys86.exe
948	nvsys86.exe
948	nvsys86.exe
2396	nvsys86.exe
2396	nvsys86.exe
2164	nvsys86.exe
2164	nvsys86.exe
548	nvsys86.exe
548	nvsys86.exe
2948	nvsys86.exe
2948	nvsys86.exe
2720	nvsys86.exe
2720	nvsys86.exe
1804	nvsys86.exe
1804	nvsys86.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 656 set thread context of 2368	656	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	29
PID 1408 set thread context of 2600	1408	nvsys86.exe	32
PID 2736 set thread context of 2752	2736	nvsys86.exe	43
PID 1688 set thread context of 492	1688	nvsys86.exe	62
PID 2224 set thread context of 2040	2224	nvsys86.exe	73
PID 1492 set thread context of 2180	1492	nvsys86.exe	84
PID 1572 set thread context of 2444	1572	nvsys86.exe	95
PID 2648 set thread context of 2744	2648	nvsys86.exe	110
PID 1856 set thread context of 580	1856	nvsys86.exe	115
PID 2096 set thread context of 940	2096	nvsys86.exe	127
PID 1584 set thread context of 2984	1584	nvsys86.exe	145
PID 2604 set thread context of 1564	2604	nvsys86.exe	151
PID 2608 set thread context of 2456	2608	nvsys86.exe	490
PID 1912 set thread context of 1364	1912	nvsys86.exe	182
PID 760 set thread context of 1284	760	nvsys86.exe	193
PID 1736 set thread context of 1520	1736	nvsys86.exe	404
PID 592 set thread context of 3036	592	nvsys86.exe	211
PID 2432 set thread context of 2528	2432	nvsys86.exe	230
PID 2512 set thread context of 2756	2512	nvsys86.exe	1119
PID 1752 set thread context of 1860	1752	nvsys86.exe	902
PID 2936 set thread context of 1140	2936	nvsys86.exe	1001
PID 2616 set thread context of 2904	2616	nvsys86.exe	1079
PID 1576 set thread context of 2624	1576	nvsys86.exe	283
PID 2440 set thread context of 2652	2440	nvsys86.exe	1046
PID 2220 set thread context of 948	2220	nvsys86.exe	312
PID 2876 set thread context of 2396	2876	nvsys86.exe	1427
PID 2016 set thread context of 2164	2016	nvsys86.exe	336
PID 1732 set thread context of 548	1732	nvsys86.exe	1491
PID 2432 set thread context of 2948	2432	nvsys86.exe	360
PID 2552 set thread context of 2720	2552	nvsys86.exe	375
PID 856 set thread context of 1804	856	nvsys86.exe	387
PID 1808 set thread context of 1584	1808	nvsys86.exe	1724
PID 2516 set thread context of 1556	2516	nvsys86.exe	1919
PID 2124 set thread context of 1964	2124	nvsys86.exe	419
PID 280 set thread context of 2544	280	nvsys86.exe	1908
PID 2728 set thread context of 2724	2728	nvsys86.exe	442
PID 2384 set thread context of 1912	2384	nvsys86.exe	1352
PID 2288 set thread context of 2832	2288	nvsys86.exe	2314
PID 2428 set thread context of 2648	2428	nvsys86.exe	1461
PID 2236 set thread context of 2668	2236	nvsys86.exe	2359
PID 2336 set thread context of 2936	2336	nvsys86.exe	518
PID 2820 set thread context of 2792	2820	nvsys86.exe	523
PID 1236 set thread context of 2312	1236	nvsys86.exe	2156
PID 2748 set thread context of 2816	2748	nvsys86.exe	553
PID 2564 set thread context of 2736	2564	nvsys86.exe	2653
PID 1600 set thread context of 2668	1600	nvsys86.exe	2835
PID 1480 set thread context of 2692	1480	nvsys86.exe	2274
PID 3060 set thread context of 2520	3060	nvsys86.exe	2662
PID 1220 set thread context of 1936	1220	nvsys86.exe	612
PID 2468 set thread context of 2328	2468	nvsys86.exe	3016
PID 2140 set thread context of 1788	2140	nvsys86.exe	636
PID 1860 set thread context of 2668	1860	nvsys86.exe	2835
PID 1652 set thread context of 1592	1652	nvsys86.exe	655
PID 2640 set thread context of 1700	2640	nvsys86.exe	3268
PID 1472 set thread context of 2972	1472	nvsys86.exe	3154
PID 2532 set thread context of 1616	2532	nvsys86.exe	3376
PID 3048 set thread context of 1860	3048	nvsys86.exe	3441
PID 988 set thread context of 2116	988	nvsys86.exe	3508
PID 760 set thread context of 2420	760	nvsys86.exe	1620
PID 2408 set thread context of 1232	2408	nvsys86.exe	745
PID 2796 set thread context of 608	2796	nvsys86.exe	1147
PID 1772 set thread context of 2152	1772	nvsys86.exe	3733
PID 896 set thread context of 2616	896	nvsys86.exe	1096
PID 2540 set thread context of 2200	2540	nvsys86.exe	792

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2600	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2752	nvsys86.exe
Token: SeIncBasePriorityPrivilege	492	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2040	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2180	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2444	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2744	nvsys86.exe
Token: SeIncBasePriorityPrivilege	580	nvsys86.exe
Token: SeIncBasePriorityPrivilege	940	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2984	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1564	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2456	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1364	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1284	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1520	nvsys86.exe
Token: SeIncBasePriorityPrivilege	3036	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2528	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2756	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1860	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1140	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2904	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2624	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2652	nvsys86.exe
Token: SeIncBasePriorityPrivilege	948	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2396	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2164	nvsys86.exe
Token: SeIncBasePriorityPrivilege	548	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2948	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2720	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1804	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1584	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1556	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1964	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2544	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2724	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1912	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2832	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2328	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2648	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2668	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2936	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2792	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2312	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2816	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2736	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2668	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2692	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2520	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1936	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2328	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1788	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2668	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1592	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2972	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1616	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1860	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2116	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2420	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1232	nvsys86.exe
Token: SeIncBasePriorityPrivilege	608	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2152	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2616	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2200	nvsys86.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 2368	656	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	29
PID 656 wrote to memory of 2368	656	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	29
PID 656 wrote to memory of 2368	656	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	29
PID 656 wrote to memory of 2368	656	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	29
PID 656 wrote to memory of 2368	656	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	29
PID 656 wrote to memory of 2368	656	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	29
PID 656 wrote to memory of 2368	656	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	29
PID 656 wrote to memory of 2368	656	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	29
PID 656 wrote to memory of 2368	656	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	29
PID 656 wrote to memory of 2368	656	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	29
PID 2368 wrote to memory of 1408	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	30
PID 2368 wrote to memory of 1408	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	30
PID 2368 wrote to memory of 1408	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	30
PID 2368 wrote to memory of 1408	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2448	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2448	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2448	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2448	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	31
PID 1408 wrote to memory of 2600	1408	nvsys86.exe	32
PID 1408 wrote to memory of 2600	1408	nvsys86.exe	32
PID 1408 wrote to memory of 2600	1408	nvsys86.exe	32
PID 1408 wrote to memory of 2600	1408	nvsys86.exe	32
PID 1408 wrote to memory of 2600	1408	nvsys86.exe	32
PID 1408 wrote to memory of 2600	1408	nvsys86.exe	32
PID 1408 wrote to memory of 2600	1408	nvsys86.exe	32
PID 2368 wrote to memory of 2436	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	33
PID 2368 wrote to memory of 2436	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	33
PID 2368 wrote to memory of 2436	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	33
PID 2368 wrote to memory of 2436	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	33
PID 1408 wrote to memory of 2600	1408	nvsys86.exe	32
PID 1408 wrote to memory of 2600	1408	nvsys86.exe	32
PID 1408 wrote to memory of 2600	1408	nvsys86.exe	32
PID 2368 wrote to memory of 2412	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	34
PID 2368 wrote to memory of 2412	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	34
PID 2368 wrote to memory of 2412	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	34
PID 2368 wrote to memory of 2412	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	34
PID 2368 wrote to memory of 2176	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	35
PID 2368 wrote to memory of 2176	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	35
PID 2368 wrote to memory of 2176	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	35
PID 2368 wrote to memory of 2176	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	35
PID 2368 wrote to memory of 2892	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	36
PID 2368 wrote to memory of 2892	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	36
PID 2368 wrote to memory of 2892	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	36
PID 2368 wrote to memory of 2892	2368	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	36
PID 2600 wrote to memory of 2736	2600	nvsys86.exe	106
PID 2600 wrote to memory of 2736	2600	nvsys86.exe	106
PID 2600 wrote to memory of 2736	2600	nvsys86.exe	106
PID 2600 wrote to memory of 2736	2600	nvsys86.exe	106
PID 2736 wrote to memory of 2752	2736	nvsys86.exe	43
PID 2736 wrote to memory of 2752	2736	nvsys86.exe	43
PID 2736 wrote to memory of 2752	2736	nvsys86.exe	43
PID 2736 wrote to memory of 2752	2736	nvsys86.exe	43
PID 2600 wrote to memory of 680	2600	nvsys86.exe	44
PID 2600 wrote to memory of 680	2600	nvsys86.exe	44
PID 2600 wrote to memory of 680	2600	nvsys86.exe	44
PID 2600 wrote to memory of 680	2600	nvsys86.exe	44
PID 2600 wrote to memory of 580	2600	nvsys86.exe	115
PID 2600 wrote to memory of 580	2600	nvsys86.exe	115
PID 2600 wrote to memory of 580	2600	nvsys86.exe	115
PID 2600 wrote to memory of 580	2600	nvsys86.exe	115
PID 2600 wrote to memory of 1448	2600	nvsys86.exe	46
PID 2600 wrote to memory of 1448	2600	nvsys86.exe	46
PID 2600 wrote to memory of 1448	2600	nvsys86.exe	46
PID 2600 wrote to memory of 1448	2600	nvsys86.exe	46

C:\Users\Admin\AppData\Local\Temp\27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\AppData\Local\Temp\27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\nvsys86.exe
    "C:\Windows\system32\nvsys86.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\nvsys86.exe
      "C:\Windows\SysWOW64\nvsys86.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1688
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2224
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1492
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1572
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2648
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1856
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2096
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1584
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        22⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2604
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2608
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        26⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1912
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:760
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        30⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1736
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        32⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:592
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2432
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2512
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1752
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2936
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2616
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        44⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1576
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        46⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2440
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2220
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        50⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2876
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        52⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2016
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        54⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1732
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2432
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        58⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2552
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:856
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        62⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1808
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2516
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:2124
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        68⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:280
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        70⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:2728
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        72⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:2384
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        74⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:2288
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        76⤵
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        77⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        78⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:2428
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        80⤵
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:2236
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        82⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:2336
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        84⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:2820
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        86⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:1236
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        88⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:2748
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        90⤵
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2564
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        92⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:1600
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        94⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:1480
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        96⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:3060
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        98⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:1220
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        100⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        101⤵
        Suspicious use of SetThreadContext
        
        PID:2468
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        102⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:2140
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        104⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:1860
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        106⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:1652
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        108⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:2640
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        110⤵
        Adds Run key to start application
        
        PID:1700
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:1472
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        112⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:2532
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        114⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:3048
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        116⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:988
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        118⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:760
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        120⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:2408
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        122⤵
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:2796
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        124⤵
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        125⤵
        Suspicious use of SetThreadContext
        
        PID:1772
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        126⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:896
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        128⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        129⤵
        Suspicious use of SetThreadContext
        
        PID:2540
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        130⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        131⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        132⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        133⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        134⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        135⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        136⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        137⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        138⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        139⤵
        
        PID:444
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        140⤵
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        141⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        142⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        143⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        144⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        145⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        146⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1904
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        147⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        148⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:344
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        149⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        150⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:3044
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        151⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        152⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        153⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        154⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        155⤵
        
        PID:688
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        156⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        157⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        158⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        159⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        160⤵
        Adds Run key to start application
        
        PID:2748
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        161⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        162⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        163⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        164⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        165⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        166⤵
        Drops file in Drivers directory
        
        PID:2176
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        167⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        168⤵
        Drops file in Drivers directory
        
        PID:1296
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        169⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        170⤵
        Adds Run key to start application
        
        PID:1216
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        171⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        172⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        173⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        174⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        175⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        176⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        177⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        178⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        179⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        180⤵
        Adds Run key to start application
        
        PID:2616
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        181⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        182⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        183⤵
        
        PID:548
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        184⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        185⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        186⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        187⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        188⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        189⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        190⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:608
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        191⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        192⤵
        Adds Run key to start application
        
        PID:3012
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        193⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        194⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1632
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        195⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        196⤵
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        197⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        198⤵
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        199⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        200⤵
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        201⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        202⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        203⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        204⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        205⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        206⤵
        Adds Run key to start application
        
        PID:2244
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        207⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        208⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        209⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        210⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        211⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        212⤵
        Drops file in Drivers directory
        
        PID:2664
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        213⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        214⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        215⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        216⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        217⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        218⤵
        Drops file in Drivers directory
        
        PID:2304
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        219⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        220⤵
        Adds Run key to start application
        
        PID:1236
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        221⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        222⤵
        Drops file in Drivers directory
        
        PID:2988
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        223⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        224⤵
        Adds Run key to start application
        
        PID:2000
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        225⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        226⤵
        Drops file in Drivers directory
        
        PID:3068
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        227⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        228⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        229⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        230⤵
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        231⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        232⤵
        Adds Run key to start application
        
        PID:2824
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        233⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        234⤵
        Drops file in Drivers directory
        
        PID:1744
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        235⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        236⤵
        Drops file in Drivers directory
        
        PID:108
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        237⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        238⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        239⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        240⤵
        
        PID:348
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        241⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        242⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        243⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        244⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        245⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        246⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        247⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        248⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:296
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        249⤵
        
        PID:924
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        250⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        251⤵
        
        PID:348
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        252⤵
        Drops file in Drivers directory
        
        PID:1800
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        253⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        254⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        255⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        256⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2032
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        257⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        258⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        259⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        260⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        261⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        262⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        263⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        264⤵
        
        PID:876
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        265⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        266⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        267⤵
        
        PID:656
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        268⤵
        Drops file in Drivers directory
        
        PID:2420
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        269⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        270⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2576
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        271⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        272⤵
        Adds Run key to start application
        
        PID:348
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        273⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        274⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        275⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        276⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        277⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        277⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        277⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        275⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        275⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        275⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        275⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        275⤵
        
        PID:556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        273⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        273⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        273⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        273⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        273⤵
        
        PID:280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        271⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        271⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        271⤵
        
        PID:748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        271⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        271⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        269⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        269⤵
        
        PID:624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        269⤵
        
        PID:924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        269⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        269⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        267⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        267⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        267⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        267⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        267⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        265⤵
        
        PID:696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        265⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        265⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        265⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        265⤵
        
        PID:568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        263⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        263⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        263⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        263⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        263⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        261⤵
        
        PID:444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        261⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        261⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        261⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        261⤵
        
        PID:480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        259⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        259⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        259⤵
        
        PID:584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        259⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        259⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        257⤵
        
        PID:668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        257⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        257⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        257⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        257⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        255⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        255⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        255⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        255⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        255⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        253⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        253⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        253⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        253⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        253⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        251⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        251⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        251⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        251⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        251⤵
        
        PID:804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        249⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        249⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        249⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        249⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        249⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        247⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        247⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        247⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        247⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        247⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        245⤵
        
        PID:592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        245⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        245⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        245⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        245⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        243⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        243⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        243⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        243⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        243⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        241⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        241⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        241⤵
        
        PID:480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        241⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        241⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        239⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        239⤵
        
        PID:624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        239⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        239⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        239⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        237⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        237⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        237⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        237⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        237⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        235⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        235⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        235⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        235⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        235⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        233⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        233⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        233⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        233⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        233⤵
        
        PID:288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        231⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        231⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        231⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        231⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        231⤵
        
        PID:760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        229⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        229⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        229⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        229⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        229⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        227⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        227⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        227⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        227⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        227⤵
        
        PID:264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        225⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        225⤵
        
        PID:828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        225⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        225⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        225⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        223⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        223⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        223⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        223⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        223⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        221⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        221⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        221⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        221⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        221⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        219⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        219⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        219⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        219⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        219⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        217⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        217⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        217⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        217⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        217⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        215⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        215⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        215⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        215⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        215⤵
        
        PID:556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        213⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        213⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        213⤵
        
        PID:316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        213⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        213⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        211⤵
        
        PID:444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        211⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        211⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        211⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        211⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        209⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        209⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        209⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        209⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        209⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        207⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        207⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        207⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        207⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        207⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        205⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        205⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        205⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        205⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        205⤵
        
        PID:656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        203⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        203⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        203⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        203⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        203⤵
        
        PID:876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        201⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        201⤵
        
        PID:112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        201⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        201⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        201⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        199⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        199⤵
        
        PID:924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        199⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        199⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        199⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        197⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        197⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        197⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        197⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        197⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        195⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        195⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        195⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        195⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        195⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        193⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        193⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        193⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        193⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        193⤵
        
        PID:548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        191⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        191⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        191⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        191⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        191⤵
        
        PID:760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        189⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        189⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        189⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        189⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        189⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        187⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        187⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        187⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        187⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        187⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        185⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        185⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        185⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        185⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        185⤵
        
        PID:556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        183⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        183⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        183⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        183⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        183⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        181⤵
        
        PID:444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        181⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        181⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        181⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        181⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        179⤵
        
        PID:348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        179⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        179⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        179⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        179⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        177⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        177⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        177⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        177⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        177⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        175⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        175⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        175⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        175⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        175⤵
        
        PID:536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        173⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        173⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        173⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        173⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        173⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        171⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        171⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        171⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        171⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        171⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        169⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        169⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        169⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        169⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        169⤵
        
        PID:592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        167⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        167⤵
        
        PID:988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        167⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        167⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        167⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        165⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        165⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        165⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        165⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        165⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        163⤵
        
        PID:392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        163⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        163⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        163⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        163⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        161⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        161⤵
        
        PID:748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        161⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        161⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        161⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        159⤵
        
        PID:592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        159⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        159⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        159⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        159⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        157⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        157⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        157⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        157⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        157⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        155⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        155⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        155⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        155⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        155⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        153⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        153⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        153⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        153⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        153⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        151⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        151⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        151⤵
        
        PID:828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        151⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        151⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        149⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        149⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        149⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        149⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        149⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        147⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        147⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        147⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        147⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        147⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        145⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        145⤵
        
        PID:872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        145⤵
        
        PID:904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        145⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        145⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        143⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        143⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        143⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        143⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        143⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        141⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        141⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        141⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        141⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        141⤵
        
        PID:264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        139⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        139⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        139⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        139⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        139⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        137⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        137⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        137⤵
        
        PID:896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        137⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        137⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        135⤵
        
        PID:268
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        135⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        135⤵
        
        PID:684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        135⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        135⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        133⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        133⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        133⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        133⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        133⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        131⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        131⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        131⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        131⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        131⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        129⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        129⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        129⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        129⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        129⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        127⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        127⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        127⤵
        
        PID:568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        127⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        127⤵
        
        PID:836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        125⤵
        
        PID:532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        125⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        125⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        125⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        125⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        123⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        123⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        123⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        123⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        123⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        121⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        121⤵
        
        PID:548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        121⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        121⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        121⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        119⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        119⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        119⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        119⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        119⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        117⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        117⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        117⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        117⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        117⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        115⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        115⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        115⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        115⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        115⤵
        
        PID:112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        113⤵
        
        PID:280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        113⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        113⤵
        
        PID:856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        113⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        113⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        111⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        111⤵
        
        PID:464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        111⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        111⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        111⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        109⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        109⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        109⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        109⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        109⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        107⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        107⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        107⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        107⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        107⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        105⤵
        
        PID:904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        105⤵
        
        PID:656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        105⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        105⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        105⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        103⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        103⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        103⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        103⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        103⤵
        
        PID:584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        101⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        101⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        101⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        101⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        101⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        99⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        99⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        99⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        99⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        99⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        97⤵
        
        PID:924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        97⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        97⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        97⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        97⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        95⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        95⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        95⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        95⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        95⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        93⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        93⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        93⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        93⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        93⤵
        
        PID:904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        91⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        91⤵
        
        PID:392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        91⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        91⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        91⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        89⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        89⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        89⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        89⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        89⤵
        
        PID:884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        87⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        87⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        87⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        87⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        87⤵
        
        PID:828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        85⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        85⤵
        
        PID:836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        85⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        85⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        85⤵
        
        PID:348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        83⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        83⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        83⤵
        
        PID:336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        83⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        83⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        81⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        81⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        81⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        81⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        81⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        79⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        79⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        79⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        79⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        79⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        77⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        77⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        77⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        77⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        77⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        75⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        75⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        75⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        75⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        75⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        73⤵
        
        PID:896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        73⤵
        
        PID:444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        73⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        73⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        73⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        71⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        71⤵
        
        PID:904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        71⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        71⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        71⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        69⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        69⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        69⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        69⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        69⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        67⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        67⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        67⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        
        PID:992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        65⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        65⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        65⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        63⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        63⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        63⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        61⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        61⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        61⤵
        
        PID:444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        59⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        59⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        59⤵
        
        PID:904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        57⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        57⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        57⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        55⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        55⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        55⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        53⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        53⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        53⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        51⤵
        
        PID:296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        51⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        51⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        49⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        49⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        49⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        47⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        47⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        47⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        45⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        45⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        45⤵
        
        PID:112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        43⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        43⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        43⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        41⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        41⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        41⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        39⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        39⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        39⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        37⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        37⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        37⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        35⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        35⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        35⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        33⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        33⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        33⤵
        
        PID:348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        31⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        31⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        31⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        29⤵
        
        PID:336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        29⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        29⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        27⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        27⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        27⤵
        
        PID:876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        25⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        25⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        25⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        23⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        23⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        23⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        21⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        21⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        21⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        19⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        19⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        19⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        17⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        17⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        17⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        15⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        15⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        15⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        13⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        13⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        13⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        11⤵
        
        PID:872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        11⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        11⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        9⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        9⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        9⤵
        
        PID:992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        7⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        7⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        7⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:680
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:580
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        5⤵
        
        PID:1448
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        5⤵
        
        PID:1860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        5⤵
        
        PID:1740
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\27BED2~1.EXE > nul
    3⤵
    - Deletes itself
    PID:2892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "706608757-1312269410-2017057480-867364136-1011287514932641594-1965003202696415837"
1⤵
PID:1892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-113260832712428114711414186308-1059212640-2515048901880574938-1053741291722826438"
1⤵
PID:992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1341019692349059137515247405-1606837197-35069537511716461111680980241948882397"
1⤵
PID:2860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17059734282483253781751158168-746775018806779964-11015312991473757777-1443821222"
1⤵
PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2513634131065498358-1744442447114892671310596748641128915965-1437795302-80119280"
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1211784732110234135-114371928920857444721421944719-1676890711-843326646-340762913"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1812706191571702619-1501247566853343026-704906815-28514413-7869800961470249760"
1⤵
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1253979741177290412321150390315007242181094614673-14303114531554790734-1208087161"
1⤵
PID:1856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6299074072081503791-1418383788-720183479-557547908-177897833015454827321554392402"
1⤵
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-890564365-11705517113080948451134458071839940183-787178931128451002962854163"
1⤵
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14652328618876152801029288011991840744-92949658270054790818499377572113815772"
1⤵
PID:2096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-500150233-781712051-207738168322190055208592583914851384441778503709428101909"
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-562694291-12893678221698878906-20816824441745277568-471820330627397288358150876"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12905003482124608740-1823568621591534777101791835-443605930-1726080629-1051028110"
1⤵
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1880748721-18025990212022163445-57349017-831223633427038298-369396834-1515516686"
1⤵
PID:1556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1645179225-336952845623003071-13682815439107223107200406081733248508800185421"
1⤵
PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-265451555-1761266368-124069627075170656-8621568937017130-1498868758405556215"
1⤵
PID:2688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4989128881046166482-194854141411937192292136853324-105250940367326005-1315644360"
1⤵
PID:876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1309963002211898138910997261518301044291050495622190606127210632138151219083100"
1⤵
PID:1416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10371238241939531861-198449273221060123601829147630827037041371038478-424377659"
1⤵
PID:336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1448279224747121472-174429976-92482116-749491276-1440746274-1390584711-1481039772"
1⤵
PID:1448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-771125732-658665749-16754098851751591386-324162007-363176267714905416-1952558541"
1⤵
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "642793092-495486442805322271140694967162675858816272617261664189455-1435693188"
1⤵
PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7028033742105234812-481033128-470867852-917270444512160021331008337-1699562365"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1144975805161687687-275330451192486386618488448141994600732-251111309-1468126306"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11450315801986932529-1286021949-10129474432498431501175697940-13884549672011694195"
1⤵
PID:2328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "534285084-1965271053859091307883477106-901283052-187380612217216255571435284963"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1825935735-1531029950-625701776-272343671142473915615032879321684264688-2029145964"
1⤵
PID:2504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2058387542643863859-1813158913-622810521778461616-1092472961-1527304479-1950229415"
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1691633360518900253-2120988041202900774214164727141409547131-277877303-785031722"
1⤵
PID:1860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1331597908189085427219970282041239263048132176760-199086494-350170092-543461998"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7320444521230774881273212410254348628-195254110-32850773521585356-384782417"
1⤵
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-796158716-74193568218962696002130075881-2362850512125690697-2125943841345398033"
1⤵
PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "199244037831957454118360630591543619882-288193988314376961-1340356050-1581617103"
1⤵
PID:1140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-263970549-1136727636436725171-395818424-13889610171362512888-213101028265806838"
1⤵
PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "266588669-20709493562022014552-869083178-1702986826-66862333565942213999243331"
1⤵
PID:2272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1584684168-21602759915274206621268571539-235579957-944587357-1653567150-1360363258"
1⤵
PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1564580803-857475569-15485841071258292970319597417-1916305520362490823-340151708"
1⤵
PID:2228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-462138621-1523858376-704560705-1033104724-8539705816039743271583279796-500661002"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "396339995-1658957533-11224813-915340705-37754511-232971319-1910473726-1269574203"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1921948966-2715899961319305576-927747632626690056802637690-2116723102883793868"
1⤵
PID:2396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11483502151778661215-717766099-1467610157-915101063-831293212212361596454204125"
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "946547512-1596486155-15676792661286833843-656385715-680867272-617173850741363538"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-751864733-5252226661114396219-353788545-1000130667445371409-5790623481114971371"
1⤵
PID:2176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-31797321974288317-1994474243-2000230826-928939014-804971290-1437072310738771177"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-102318862-589208085-1537851837-67033121532333631-591158066-17365530081395452184"
1⤵
PID:1416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3008569201066160543-2036277540-1658430084-4357126085772420482104568347-606044752"
1⤵
PID:1472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11927101311770342298-2158309432095840729-11644183811496154451-20508023521970725804"
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "255043643-1732786236-542684726415561086-1579303680-790835312-1989694359-1951260717"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1886327911-1415478895-181515222-114586043996168446168474187438529425388732622"
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "574425123-269451604863643426-69652968716512924055916252777894689161191287367"
1⤵
PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-140216202-479815224438600799147983279-1023336437-1119299641322471253-1361172119"
1⤵
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1692506039179143362210358870851883994990191093553-28785500818291773441039238412"
1⤵
PID:896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1349508983587521174-2046923273-70378079245023123612349450451898002443-108830601"
1⤵
PID:2648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-660363739-14559664647915903321928900609-392419576579587104529898990-5821625"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9025058462033875663706350366618794763-1157580149-5854491862038406429-1270389977"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1547654115-7930149121465246400-642522555-654090957-1803390999467497857-1330345387"
1⤵
PID:296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "949682986913656821208293588549617694-20463001162041106819-12232869841554944631"
1⤵
PID:2584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2104122917-1398645482100424531800737685602686560-467257326217307494-1406161565"
1⤵
PID:548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14134417651830071954-1975090035221194461980313493-1522702598-686743284-1698023729"
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\drivers\etc\hosts

Filesize
4KB

MD5
11f6cf33b3e24cfee3a811290d497982

SHA1
4d451808a3530540ed4d06938f8cf104aa32daa0

SHA256
f9542b717f26b0f05c769c1279de34698de0c9bf5078f584c645cfb3a1ad860b

SHA512
02e17dd4a8adb640c0eb271bc034e10ff337f369516a44e1cd5bcf950365b5e0d1a19b0627dcb93b82f13288be8028b008399f2cb52cc1b5bfb0664e9e848154

Download Submit
\Windows\SysWOW64\nvsys86.exe

Filesize
42KB

MD5
27bed2b769dc018f0f0f329d7bd7f37b

SHA1
4f5f8985fe54ebae375bee381d95173166d5ac19

SHA256
8f2b1df6121a1aad9eecd3ce05146d2777ebeb439768add2d303657c6a4e0f60

SHA512
fedd890bbcf40eb1f2cbfe34f5cc2fd244659bd3ae53f8754dbcdcc31f4d15f9cd45ab27d2598c3d7ff61bc4695d83218cdd34662299cb9d3482f0f437ef8103

Download Submit
memory/280-710-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/280-724-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/492-115-0x0000000002E70000-0x0000000002E89000-memory.dmp

Filesize
100KB

Download
memory/548-596-0x00000000030B0000-0x00000000030C9000-memory.dmp

Filesize
100KB

Download
memory/580-236-0x0000000002FF0000-0x0000000003009000-memory.dmp

Filesize
100KB

Download
memory/580-237-0x0000000002FF0000-0x0000000003009000-memory.dmp

Filesize
100KB

Download
memory/592-391-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/592-377-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/656-1-0x0000000000280000-0x0000000000299000-memory.dmp

Filesize
100KB

Download
memory/656-0-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/656-20-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/760-345-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/856-637-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/856-650-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1364-340-0x0000000003400000-0x0000000003419000-memory.dmp

Filesize
100KB

Download
memory/1364-341-0x0000000003400000-0x0000000003419000-memory.dmp

Filesize
100KB

Download
memory/1408-38-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/1408-37-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1408-57-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1492-144-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1492-159-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1520-376-0x00000000031C0000-0x00000000031D9000-memory.dmp

Filesize
100KB

Download
memory/1556-688-0x00000000030B0000-0x00000000030C9000-memory.dmp

Filesize
100KB

Download
memory/1556-689-0x00000000030B0000-0x00000000030C9000-memory.dmp

Filesize
100KB

Download
memory/1572-185-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1572-171-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1576-486-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1576-499-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1584-278-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1584-265-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1688-97-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1688-110-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1732-594-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1736-362-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1752-447-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1752-432-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1808-668-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1808-655-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1856-213-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1856-226-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1860-449-0x00000000048D0000-0x00000000048E9000-memory.dmp

Filesize
100KB

Download
memory/1912-325-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1912-338-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1964-708-0x0000000002F30000-0x0000000002F49000-memory.dmp

Filesize
100KB

Download
memory/1964-709-0x0000000002F30000-0x0000000002F49000-memory.dmp

Filesize
100KB

Download
memory/2016-575-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2016-562-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2040-142-0x00000000030B0000-0x00000000030C9000-memory.dmp

Filesize
100KB

Download
memory/2040-143-0x00000000030B0000-0x00000000030C9000-memory.dmp

Filesize
100KB

Download
memory/2096-238-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2096-255-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2124-690-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2124-706-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2164-578-0x0000000002EC0000-0x0000000002ED9000-memory.dmp

Filesize
100KB

Download
memory/2164-577-0x0000000002EC0000-0x0000000002ED9000-memory.dmp

Filesize
100KB

Download
memory/2180-164-0x0000000002EA0000-0x0000000002EB9000-memory.dmp

Filesize
100KB

Download
memory/2180-165-0x0000000002EA0000-0x0000000002EB9000-memory.dmp

Filesize
100KB

Download
memory/2220-539-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2220-526-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2224-134-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2224-119-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2368-26-0x0000000003330000-0x0000000003349000-memory.dmp

Filesize
100KB

Download
memory/2368-30-0x0000000003330000-0x0000000003349000-memory.dmp

Filesize
100KB

Download
memory/2368-21-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2368-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2368-15-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2368-12-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2368-9-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2368-7-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2368-2-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2368-4-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2432-598-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2432-398-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2432-411-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2432-613-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2440-507-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2440-520-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2512-429-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2512-416-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2516-686-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2516-673-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2544-729-0x0000000003210000-0x0000000003229000-memory.dmp

Filesize
100KB

Download
memory/2552-632-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2600-65-0x0000000003340000-0x0000000003359000-memory.dmp

Filesize
100KB

Download
memory/2600-67-0x0000000003340000-0x0000000003359000-memory.dmp

Filesize
100KB

Download
memory/2604-285-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2604-300-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2608-307-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2608-320-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2616-471-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2616-484-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2648-207-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2648-194-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2652-522-0x0000000003000000-0x0000000003019000-memory.dmp

Filesize
100KB

Download
memory/2736-69-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/2736-85-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2736-68-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2876-557-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2876-544-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2936-466-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2936-453-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2948-615-0x0000000002F70000-0x0000000002F89000-memory.dmp

Filesize
100KB

Download
memory/2948-616-0x0000000002F70000-0x0000000002F89000-memory.dmp

Filesize
100KB

Download
memory/2984-284-0x0000000003140000-0x0000000003159000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads