8f2b1df6121a1aad9eecd3ce05146d2777ebeb439768add2d303657c6a4e0f60

Analysis

max time kernel
47s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe
Size

42KB
MD5

27bed2b769dc018f0f0f329d7bd7f37b
SHA1

4f5f8985fe54ebae375bee381d95173166d5ac19
SHA256

8f2b1df6121a1aad9eecd3ce05146d2777ebeb439768add2d303657c6a4e0f60
SHA512

fedd890bbcf40eb1f2cbfe34f5cc2fd244659bd3ae53f8754dbcdcc31f4d15f9cd45ab27d2598c3d7ff61bc4695d83218cdd34662299cb9d3482f0f437ef8103
SSDEEP

768:Iehi6i18f3rIrRC6zjZj0YzI64MdOpkZ8Dew70T670Sg32L:rYq6CijU/j+kS+xL

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nvsys86.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	nvsys86.exe

Executes dropped EXE 64 IoCs

pid	Process
3268	nvsys86.exe
1132	nvsys86.exe
1168	nvsys86.exe
2708	nvsys86.exe
1468	nvsys86.exe
4684	nvsys86.exe
3416	nvsys86.exe
5096	nvsys86.exe
4824	nvsys86.exe
2276	nvsys86.exe
4108	nvsys86.exe
2860	nvsys86.exe
3884	nvsys86.exe
2912	nvsys86.exe
4480	nvsys86.exe
2476	nvsys86.exe
3032	nvsys86.exe
1600	nvsys86.exe
1152	nvsys86.exe
620	nvsys86.exe
4328	nvsys86.exe
2908	nvsys86.exe
1624	nvsys86.exe
468	nvsys86.exe
4884	nvsys86.exe
4832	nvsys86.exe
3108	nvsys86.exe
4372	nvsys86.exe
1464	nvsys86.exe
2004	nvsys86.exe
4104	nvsys86.exe
2372	nvsys86.exe
1276	nvsys86.exe
4012	nvsys86.exe
4848	nvsys86.exe
3604	nvsys86.exe
3324	nvsys86.exe
2724	nvsys86.exe
920	nvsys86.exe
4524	nvsys86.exe
1892	nvsys86.exe
3524	nvsys86.exe
640	nvsys86.exe
4532	nvsys86.exe
3980	nvsys86.exe
1392	nvsys86.exe
2272	nvsys86.exe
3844	nvsys86.exe
5080	nvsys86.exe
744	nvsys86.exe
3076	nvsys86.exe
2688	nvsys86.exe
4840	nvsys86.exe
2976	nvsys86.exe
4504	nvsys86.exe
100	nvsys86.exe
4996	nvsys86.exe
2088	nvsys86.exe
1784	nvsys86.exe
4024	nvsys86.exe
1200	nvsys86.exe
3956	nvsys86.exe
4900	nvsys86.exe
4296	nvsys86.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nVidia Display Drivers (x86) = "nvsys86.exe"	nvsys86.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File opened for modification	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe
File created	C:\Windows\SysWOW64\nvsys86.exe	nvsys86.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2812 set thread context of 4436	2812	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	82
PID 3268 set thread context of 1132	3268	nvsys86.exe	92
PID 1168 set thread context of 2708	1168	nvsys86.exe	107
PID 1468 set thread context of 4684	1468	nvsys86.exe	120
PID 3416 set thread context of 5096	3416	nvsys86.exe	132
PID 4824 set thread context of 2276	4824	nvsys86.exe	145
PID 4108 set thread context of 2860	4108	nvsys86.exe	153
PID 3884 set thread context of 2912	3884	nvsys86.exe	166
PID 4480 set thread context of 2476	4480	nvsys86.exe	352
PID 3032 set thread context of 1600	3032	nvsys86.exe	191
PID 1152 set thread context of 620	1152	nvsys86.exe	203
PID 4328 set thread context of 2908	4328	nvsys86.exe	215
PID 1624 set thread context of 468	1624	nvsys86.exe	225
PID 4884 set thread context of 4832	4884	nvsys86.exe	237
PID 3108 set thread context of 4372	3108	nvsys86.exe	249
PID 1464 set thread context of 2004	1464	nvsys86.exe	261
PID 4104 set thread context of 2372	4104	nvsys86.exe	734
PID 1276 set thread context of 4012	1276	nvsys86.exe	286
PID 4848 set thread context of 3604	4848	nvsys86.exe	533
PID 3324 set thread context of 2724	3324	nvsys86.exe	661
PID 920 set thread context of 4524	920	nvsys86.exe	322
PID 1892 set thread context of 3524	1892	nvsys86.exe	337
PID 640 set thread context of 4532	640	nvsys86.exe	349
PID 3980 set thread context of 1392	3980	nvsys86.exe	597
PID 2272 set thread context of 3844	2272	nvsys86.exe	914
PID 5080 set thread context of 744	5080	nvsys86.exe	381
PID 3076 set thread context of 2688	3076	nvsys86.exe	395
PID 4840 set thread context of 2976	4840	nvsys86.exe	923
PID 4504 set thread context of 100	4504	nvsys86.exe	887
PID 4996 set thread context of 2088	4996	nvsys86.exe	429
PID 1784 set thread context of 4024	1784	nvsys86.exe	440
PID 1200 set thread context of 3956	1200	nvsys86.exe	454
PID 4900 set thread context of 4296	4900	nvsys86.exe	466
PID 3604 set thread context of 5048	3604	nvsys86.exe	478
PID 4716 set thread context of 2328	4716	nvsys86.exe	1419
PID 2192 set thread context of 2984	2192	nvsys86.exe	504
PID 4660 set thread context of 1872	4660	nvsys86.exe	516
PID 3808 set thread context of 4592	3808	nvsys86.exe	527
PID 3660 set thread context of 3200	3660	nvsys86.exe	1360
PID 4108 set thread context of 4464	4108	nvsys86.exe	550
PID 688 set thread context of 4876	688	nvsys86.exe	562
PID 3080 set thread context of 4148	3080	nvsys86.exe	1622
PID 1396 set thread context of 4000	1396	nvsys86.exe	1588
PID 3304 set thread context of 1392	3304	nvsys86.exe	597
PID 3868 set thread context of 724	3868	nvsys86.exe	610
PID 2508 set thread context of 2092	2508	nvsys86.exe	621
PID 732 set thread context of 1352	732	nvsys86.exe	1791
PID 3376 set thread context of 1216	3376	nvsys86.exe	1647
PID 3580 set thread context of 3872	3580	nvsys86.exe	1886
PID 4376 set thread context of 2992	4376	nvsys86.exe	671
PID 2372 set thread context of 2820	2372	nvsys86.exe	1188
PID 2604 set thread context of 704	2604	nvsys86.exe	1822
PID 3768 set thread context of 3456	3768	nvsys86.exe	1682
PID 4820 set thread context of 1096	4820	nvsys86.exe	1770
PID 1100 set thread context of 3132	1100	nvsys86.exe	730
PID 1952 set thread context of 1996	1952	nvsys86.exe	2045
PID 2220 set thread context of 2812	2220	nvsys86.exe	1967
PID 2172 set thread context of 2016	2172	nvsys86.exe	766
PID 3300 set thread context of 1340	3300	nvsys86.exe	1793
PID 1612 set thread context of 2360	1612	nvsys86.exe	2243
PID 1468 set thread context of 732	1468	nvsys86.exe	801
PID 2976 set thread context of 4016	2976	nvsys86.exe	2317
PID 740 set thread context of 4992	740	nvsys86.exe	2016
PID 3300 set thread context of 536	3300	nvsys86.exe	2367

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nvsys86.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1132	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2708	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4684	nvsys86.exe
Token: SeIncBasePriorityPrivilege	5096	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2276	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2860	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2912	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2476	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1600	nvsys86.exe
Token: SeIncBasePriorityPrivilege	620	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2908	nvsys86.exe
Token: SeIncBasePriorityPrivilege	468	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4832	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4372	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2004	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2372	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4012	nvsys86.exe
Token: SeIncBasePriorityPrivilege	3604	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2724	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4524	nvsys86.exe
Token: SeIncBasePriorityPrivilege	3524	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4532	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1392	nvsys86.exe
Token: SeIncBasePriorityPrivilege	3844	nvsys86.exe
Token: SeIncBasePriorityPrivilege	744	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2688	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2976	nvsys86.exe
Token: SeIncBasePriorityPrivilege	100	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2088	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4024	nvsys86.exe
Token: SeIncBasePriorityPrivilege	3956	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4296	nvsys86.exe
Token: SeIncBasePriorityPrivilege	5048	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2328	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2984	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1872	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4592	nvsys86.exe
Token: SeIncBasePriorityPrivilege	3200	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4464	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4876	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4148	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4000	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1392	nvsys86.exe
Token: SeIncBasePriorityPrivilege	724	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2092	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1352	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1216	nvsys86.exe
Token: SeIncBasePriorityPrivilege	3872	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2992	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2820	nvsys86.exe
Token: SeIncBasePriorityPrivilege	704	nvsys86.exe
Token: SeIncBasePriorityPrivilege	3456	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1096	nvsys86.exe
Token: SeIncBasePriorityPrivilege	3132	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1996	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2812	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2016	nvsys86.exe
Token: SeIncBasePriorityPrivilege	1340	nvsys86.exe
Token: SeIncBasePriorityPrivilege	2360	nvsys86.exe
Token: SeIncBasePriorityPrivilege	732	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4016	nvsys86.exe
Token: SeIncBasePriorityPrivilege	4992	nvsys86.exe
Token: SeIncBasePriorityPrivilege	536	nvsys86.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 4436	2812	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	82
PID 2812 wrote to memory of 4436	2812	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	82
PID 2812 wrote to memory of 4436	2812	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	82
PID 2812 wrote to memory of 4436	2812	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	82
PID 2812 wrote to memory of 4436	2812	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	82
PID 2812 wrote to memory of 4436	2812	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	82
PID 2812 wrote to memory of 4436	2812	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	82
PID 2812 wrote to memory of 4436	2812	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	82
PID 2812 wrote to memory of 4436	2812	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	82
PID 4436 wrote to memory of 3268	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	86
PID 4436 wrote to memory of 3268	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	86
PID 4436 wrote to memory of 3268	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	86
PID 4436 wrote to memory of 4324	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	87
PID 4436 wrote to memory of 4324	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	87
PID 4436 wrote to memory of 4324	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	87
PID 4436 wrote to memory of 5064	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	88
PID 4436 wrote to memory of 5064	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	88
PID 4436 wrote to memory of 5064	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	88
PID 4436 wrote to memory of 2092	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	89
PID 4436 wrote to memory of 2092	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	89
PID 4436 wrote to memory of 2092	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	89
PID 4436 wrote to memory of 1824	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	90
PID 4436 wrote to memory of 1824	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	90
PID 4436 wrote to memory of 1824	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	90
PID 4436 wrote to memory of 3028	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	91
PID 4436 wrote to memory of 3028	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	91
PID 4436 wrote to memory of 3028	4436	27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe	91
PID 3268 wrote to memory of 1132	3268	nvsys86.exe	92
PID 3268 wrote to memory of 1132	3268	nvsys86.exe	92
PID 3268 wrote to memory of 1132	3268	nvsys86.exe	92
PID 3268 wrote to memory of 1132	3268	nvsys86.exe	92
PID 3268 wrote to memory of 1132	3268	nvsys86.exe	92
PID 3268 wrote to memory of 1132	3268	nvsys86.exe	92
PID 3268 wrote to memory of 1132	3268	nvsys86.exe	92
PID 3268 wrote to memory of 1132	3268	nvsys86.exe	92
PID 3268 wrote to memory of 1132	3268	nvsys86.exe	92
PID 1132 wrote to memory of 1168	1132	nvsys86.exe	98
PID 1132 wrote to memory of 1168	1132	nvsys86.exe	98
PID 1132 wrote to memory of 1168	1132	nvsys86.exe	98
PID 1132 wrote to memory of 3288	1132	nvsys86.exe	99
PID 1132 wrote to memory of 3288	1132	nvsys86.exe	99
PID 1132 wrote to memory of 3288	1132	nvsys86.exe	99
PID 1132 wrote to memory of 832	1132	nvsys86.exe	100
PID 1132 wrote to memory of 832	1132	nvsys86.exe	100
PID 1132 wrote to memory of 832	1132	nvsys86.exe	100
PID 1132 wrote to memory of 512	1132	nvsys86.exe	161
PID 1132 wrote to memory of 512	1132	nvsys86.exe	161
PID 1132 wrote to memory of 512	1132	nvsys86.exe	161
PID 1132 wrote to memory of 468	1132	nvsys86.exe	160
PID 1132 wrote to memory of 468	1132	nvsys86.exe	160
PID 1132 wrote to memory of 468	1132	nvsys86.exe	160
PID 1132 wrote to memory of 3848	1132	nvsys86.exe	103
PID 1132 wrote to memory of 3848	1132	nvsys86.exe	103
PID 1132 wrote to memory of 3848	1132	nvsys86.exe	103
PID 1168 wrote to memory of 2708	1168	nvsys86.exe	107
PID 1168 wrote to memory of 2708	1168	nvsys86.exe	107
PID 1168 wrote to memory of 2708	1168	nvsys86.exe	107
PID 1168 wrote to memory of 2708	1168	nvsys86.exe	107
PID 1168 wrote to memory of 2708	1168	nvsys86.exe	107
PID 1168 wrote to memory of 2708	1168	nvsys86.exe	107
PID 1168 wrote to memory of 2708	1168	nvsys86.exe	107
PID 1168 wrote to memory of 2708	1168	nvsys86.exe	107
PID 1168 wrote to memory of 2708	1168	nvsys86.exe	107
PID 2708 wrote to memory of 1468	2708	nvsys86.exe	110

C:\Users\Admin\AppData\Local\Temp\27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\27bed2b769dc018f0f0f329d7bd7f37b_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\nvsys86.exe
    "C:\Windows\system32\nvsys86.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Windows\SysWOW64\nvsys86.exe
      "C:\Windows\SysWOW64\nvsys86.exe"
      4⤵
      Drops file in Drivers directory
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        6⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1468
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3416
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        10⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4824
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4108
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3884
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4480
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3032
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        20⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1152
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        22⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4328
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        24⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1624
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        26⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4884
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3108
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        30⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1464
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        32⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4104
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1276
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4848
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3324
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        40⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:920
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        42⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1892
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        44⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:640
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        46⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3980
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2272
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5080
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3076
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        54⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4840
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        56⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4504
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        58⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:100
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4996
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        60⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1784
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1200
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4900
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:3604
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        68⤵
        Drops file in Drivers directory
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:4716
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        70⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:2192
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        72⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:4660
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        74⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:3808
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        76⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:3660
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        78⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:4108
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        80⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:688
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        82⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:3080
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        84⤵
        Drops file in Drivers directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:1396
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        86⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4000
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:3304
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        88⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:3868
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        90⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:724
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2508
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        92⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:732
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        94⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:3376
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        96⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:3580
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        98⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:4376
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        100⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        101⤵
        Suspicious use of SetThreadContext
        
        PID:2372
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        102⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:2604
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        104⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:3768
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        106⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:4820
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:1100
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        110⤵
        Drops file in Drivers directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:1952
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        112⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:2220
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        114⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:2172
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        116⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:3300
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        118⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:1612
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        120⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:1468
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        122⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:732
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:2976
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        124⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        125⤵
        Suspicious use of SetThreadContext
        
        PID:740
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        126⤵
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:3300
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        128⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        129⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        130⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        131⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        132⤵
        Checks computer location settings
        
        PID:2076
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        133⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        134⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        135⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        136⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:1464
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        137⤵
        
        PID:436
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        139⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        140⤵
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        141⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        142⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        143⤵
        
        PID:392
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        144⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        145⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        146⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        147⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        148⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2192
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        149⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        150⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        
        PID:3780
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        151⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        152⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        153⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        154⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        155⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        156⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        157⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        158⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        159⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        160⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        161⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        162⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        163⤵
        
        PID:212
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        164⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        165⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        166⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        167⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        168⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        169⤵
        
        PID:392
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        170⤵
        Drops file in Drivers directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        171⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        172⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:748
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        173⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        174⤵
        Drops file in Drivers directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        175⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        176⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        177⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        178⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        179⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        180⤵
        Drops file in Drivers directory
        
        PID:1716
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        181⤵
        
        PID:212
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        182⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        
        PID:2668
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        183⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        184⤵
        Adds Run key to start application
        
        PID:3884
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        185⤵
        
        PID:512
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        186⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        187⤵
        
        PID:640
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        188⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        189⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        190⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        191⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        192⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        193⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        194⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        195⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        196⤵
        Adds Run key to start application
        
        PID:4072
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        197⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        198⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        199⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        200⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        201⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        202⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        203⤵
        
        PID:512
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        204⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:5092
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        205⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        206⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        207⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        208⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        209⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        210⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        211⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        212⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        213⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        214⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        215⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        216⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        217⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        218⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        219⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        220⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        221⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        222⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        223⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        224⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        225⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        226⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        227⤵
        
        PID:908
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        228⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        229⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        230⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        231⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        232⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        233⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        234⤵
        
        PID:936
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        235⤵
        
        PID:964
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        236⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        237⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        238⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        239⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        240⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        241⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        242⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        243⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        244⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        245⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        246⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        247⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        248⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        249⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        250⤵
        
        PID:440
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        251⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        252⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        253⤵
        
        PID:940
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        254⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        255⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        256⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        257⤵
        
        PID:624
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        258⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        259⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        260⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        261⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        262⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        263⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        264⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        265⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        266⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        267⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        268⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        269⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\SysWOW64\nvsys86.exe"
        270⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\nvsys86.exe
        
        "C:\Windows\system32\nvsys86.exe"
        271⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        271⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        271⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        271⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        269⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        269⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        269⤵
        
        PID:844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        269⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        269⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        270⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        267⤵
        
        PID:4460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        268⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        267⤵
        
        PID:116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        267⤵
        
        PID:3952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        268⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        267⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        267⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        265⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        265⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        265⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        265⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        265⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        263⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        263⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        263⤵
        
        PID:3420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        264⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        263⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        263⤵
        
        PID:628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        261⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        261⤵
        
        PID:324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        261⤵
        
        PID:3556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        262⤵
        
        PID:368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        261⤵
        
        PID:208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        262⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        261⤵
        
        PID:536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        259⤵
        
        PID:640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        259⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        259⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        259⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        259⤵
        
        PID:432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        257⤵
        
        PID:680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        257⤵
        
        PID:1952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        258⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        257⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        257⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        257⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        255⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        255⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        255⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        255⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        256⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        255⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        253⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        253⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        253⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        253⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        253⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        251⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        252⤵
        
        PID:920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        251⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        251⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        251⤵
        
        PID:3556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        252⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        251⤵
        
        PID:368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        252⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        249⤵
        
        PID:116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        249⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        249⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        249⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        249⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        247⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        247⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        247⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        247⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        247⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        245⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        245⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        245⤵
        
        PID:688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        245⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        245⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        243⤵
        
        PID:4612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        244⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        243⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        243⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        243⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        243⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        241⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        241⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        241⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        241⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        241⤵
        
        PID:1972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        242⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        239⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        239⤵
        
        PID:440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        239⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        239⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        239⤵
        
        PID:1820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        240⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        237⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        238⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        237⤵
        
        PID:3488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        238⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        237⤵
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        238⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        237⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        237⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        235⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        235⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        235⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        235⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        235⤵
        
        PID:984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        233⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        233⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        233⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        233⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        233⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        231⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        231⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        231⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        231⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        231⤵
        
        PID:820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        229⤵
        
        PID:2704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        230⤵
        
        PID:608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        229⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        229⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        229⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        229⤵
        
        PID:116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        227⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        227⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        227⤵
        
        PID:864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        227⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        227⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        225⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        225⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        225⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        225⤵
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        226⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        225⤵
        
        PID:712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        223⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        223⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        223⤵
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        224⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        223⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        223⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        221⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        221⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        221⤵
        
        PID:3952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        222⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        221⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        221⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        219⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        219⤵
        
        PID:1824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        220⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        219⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        219⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        219⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        217⤵
        
        PID:3932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        218⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        217⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        217⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        217⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        217⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        215⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        215⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        215⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        215⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        215⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        213⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        213⤵
        
        PID:216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        213⤵
        
        PID:3068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        214⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        213⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        213⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        211⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        211⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        211⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        211⤵
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        212⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        211⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        209⤵
        
        PID:1784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        210⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        209⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        209⤵
        
        PID:740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        209⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        209⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        207⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        207⤵
        
        PID:324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        207⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        207⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        207⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        205⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        205⤵
        
        PID:640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        205⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        205⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        205⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        203⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        203⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        203⤵
        
        PID:820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        204⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        203⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        203⤵
        
        PID:764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        201⤵
        
        PID:3440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        202⤵
        
        PID:404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        201⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        201⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        201⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        201⤵
        
        PID:920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        199⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        199⤵
        
        PID:864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        199⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        199⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        199⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        197⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        197⤵
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        197⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        197⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        197⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        195⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        195⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        195⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        195⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        195⤵
        
        PID:844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        193⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        193⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        193⤵
        
        PID:704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        193⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        193⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        191⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        191⤵
        
        PID:920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        191⤵
        
        PID:1272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        191⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        191⤵
        
        PID:404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        189⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        189⤵
        
        PID:452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        189⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        189⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        189⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        187⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        187⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        187⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        187⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        187⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        185⤵
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        186⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        185⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        185⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        185⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        185⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        183⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        183⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        183⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        183⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        183⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        181⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        181⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        181⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        181⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        181⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        179⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        179⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        179⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        179⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        179⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        177⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        177⤵
        
        PID:8
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        177⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        177⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        177⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        175⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        175⤵
        
        PID:512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        175⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        175⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        175⤵
        
        PID:4824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        173⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        173⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        173⤵
        
        PID:984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        173⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        173⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        171⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        171⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        171⤵
        
        PID:920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        171⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        171⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        169⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        169⤵
        
        PID:4328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        170⤵
        
        PID:368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        169⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        169⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        169⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        167⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        167⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        167⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        167⤵
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        167⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        165⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        165⤵
        
        PID:512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        165⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        165⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        165⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        163⤵
        
        PID:3280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        163⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        163⤵
        
        PID:908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        163⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        163⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        161⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        161⤵
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        161⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        161⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        161⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        159⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        159⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        159⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        159⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        159⤵
        
        PID:540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        157⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        157⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        157⤵
        
        PID:2288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        158⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        157⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        157⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        155⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        155⤵
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        156⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        155⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        155⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        155⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        153⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        153⤵
        
        PID:3432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        153⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        153⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        153⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        151⤵
        
        PID:936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        151⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        151⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        151⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        151⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        149⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        149⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        149⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        149⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        149⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        147⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        147⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        147⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        147⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        147⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        145⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        145⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        145⤵
        
        PID:688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        145⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        145⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        143⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        143⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        143⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        143⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        143⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        141⤵
        
        PID:2820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        141⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        141⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        141⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        141⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        139⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        139⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        139⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        139⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        139⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        137⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        137⤵
        
        PID:712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        137⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        137⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        137⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        135⤵
        
        PID:908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        135⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        135⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        135⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        135⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        133⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        133⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        133⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        133⤵
        
        PID:3536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        133⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        131⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        131⤵
        
        PID:3676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        131⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        131⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        131⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        129⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        129⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        129⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        129⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        129⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        127⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        127⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        127⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        127⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        127⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        125⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        125⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        125⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        125⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        125⤵
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        123⤵
        
        PID:764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        123⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        123⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        123⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        123⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        121⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        121⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        121⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        121⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        121⤵
        
        PID:60
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        119⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        119⤵
        
        PID:452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        119⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        119⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        119⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        117⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        117⤵
        
        PID:3280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        117⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        117⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        117⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        115⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        115⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        115⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        115⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        115⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        113⤵
        
        PID:640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        113⤵
        
        PID:3640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        113⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        113⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        113⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        111⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        111⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        111⤵
        
        PID:3680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        111⤵
        
        PID:844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        111⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        109⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        109⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        109⤵
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        109⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        109⤵
        
        PID:608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        107⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        107⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        107⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        107⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        107⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        105⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        105⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        105⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        105⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        105⤵
        
        PID:936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        103⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        103⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        103⤵
        
        PID:4224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        103⤵
        
        PID:2812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        103⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        101⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        101⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        101⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        101⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        101⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        99⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        99⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        99⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        99⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        99⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        97⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        97⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        97⤵
        
        PID:1464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        97⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        97⤵
        
        PID:748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        95⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        95⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        95⤵
        
        PID:216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        95⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        95⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        93⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        93⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        93⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        93⤵
        
        PID:840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        93⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        91⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        91⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        91⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        91⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        91⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        89⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        89⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        89⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        89⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        89⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        87⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        87⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        87⤵
        
        PID:4820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        87⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        87⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        85⤵
        
        PID:4672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        85⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        85⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        85⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        85⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        83⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        83⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        83⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        83⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        83⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        81⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        81⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        81⤵
        
        PID:2600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        81⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        81⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        79⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        79⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        79⤵
        
        PID:212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        79⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        79⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        77⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        77⤵
        
        PID:3604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        77⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        77⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        77⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        75⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        75⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        75⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        75⤵
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        75⤵
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        73⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        73⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        73⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        73⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        73⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        71⤵
        
        PID:608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        71⤵
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        71⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        71⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        71⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        69⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        69⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        69⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        69⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        69⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        67⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        67⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        67⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        65⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        65⤵
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        65⤵
        
        PID:624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:3812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        63⤵
        
        PID:540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        63⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        63⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        61⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        61⤵
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        61⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        59⤵
        
        PID:368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        59⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        59⤵
        
        PID:724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        57⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        57⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        57⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        55⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        55⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        55⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        53⤵
        
        PID:512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        53⤵
        
        PID:2584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        53⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        51⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        51⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        51⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        49⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        49⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        49⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        47⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        47⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        47⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        45⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        45⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        45⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        43⤵
        
        PID:512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        43⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        43⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        41⤵
        
        PID:688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        41⤵
        
        PID:3104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        41⤵
        
        PID:964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        39⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        39⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        39⤵
        
        PID:212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        37⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        37⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        37⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:1864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        35⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        35⤵
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        35⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        33⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        33⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        33⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        31⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        31⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        31⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        29⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        29⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        29⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        27⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        27⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        27⤵
        
        PID:1140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        25⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        25⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        25⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        23⤵
        
        PID:1568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        23⤵
        
        PID:1228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        23⤵
        
        PID:536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        21⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        21⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        21⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:8
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        19⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        19⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        19⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        17⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        17⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        17⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        15⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        15⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        15⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        13⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        13⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        13⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        11⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        11⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        11⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        9⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        9⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        9⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        7⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        7⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        7⤵
        
        PID:4392
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:832
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        5⤵
        
        PID:512
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        5⤵
        
        PID:468
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\nvsys86.exe > nul
        5⤵
        
        PID:3848
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\27BED2~1.EXE > nul
    3⤵
    PID:3028

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv s350hZ/CK0qeRwHRJysObw.0.1
1⤵
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\nvsys86.exe

Filesize
42KB

MD5
27bed2b769dc018f0f0f329d7bd7f37b

SHA1
4f5f8985fe54ebae375bee381d95173166d5ac19

SHA256
8f2b1df6121a1aad9eecd3ce05146d2777ebeb439768add2d303657c6a4e0f60

SHA512
fedd890bbcf40eb1f2cbfe34f5cc2fd244659bd3ae53f8754dbcdcc31f4d15f9cd45ab27d2598c3d7ff61bc4695d83218cdd34662299cb9d3482f0f437ef8103

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
4KB

MD5
11f6cf33b3e24cfee3a811290d497982

SHA1
4d451808a3530540ed4d06938f8cf104aa32daa0

SHA256
f9542b717f26b0f05c769c1279de34698de0c9bf5078f584c645cfb3a1ad860b

SHA512
02e17dd4a8adb640c0eb271bc034e10ff337f369516a44e1cd5bcf950365b5e0d1a19b0627dcb93b82f13288be8028b008399f2cb52cc1b5bfb0664e9e848154

Download Submit
memory/640-342-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/640-350-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/688-565-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/688-558-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/732-638-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/732-630-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/920-318-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/920-326-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1152-176-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1152-187-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1168-60-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1168-69-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1200-458-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1200-450-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1276-282-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1276-289-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1396-589-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1396-582-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1464-253-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1464-262-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1468-83-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1624-217-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1624-208-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1784-436-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1784-446-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1892-330-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1892-338-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2192-505-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2192-498-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2272-374-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2272-366-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2508-618-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2508-626-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2708-67-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2812-0-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2812-7-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3032-172-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3032-163-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3076-398-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3076-390-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3080-570-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3080-578-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3108-247-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3108-238-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3268-54-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3268-43-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3304-594-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3304-601-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3324-306-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3324-313-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3376-650-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3376-642-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3416-89-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3416-97-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3580-654-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3580-662-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3604-482-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3604-474-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3660-542-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3660-534-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3808-529-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3808-522-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3868-606-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3868-613-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3884-142-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3884-133-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3980-362-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/3980-354-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4104-268-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4104-277-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4108-127-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4108-118-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4108-554-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4108-546-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4328-193-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4328-202-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4436-8-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/4436-4-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/4436-1-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/4436-2-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/4436-3-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/4480-157-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4480-148-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4504-421-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4504-414-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4660-510-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4660-517-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4684-81-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/4716-494-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4716-486-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4824-112-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4840-410-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4840-401-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4848-302-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4848-294-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4884-232-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4884-223-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4900-462-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4900-470-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4996-426-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/4996-434-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/5080-378-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/5080-385-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads