5facb6ab81515930978b8aca1a70ff2c9a899b82b078f0a56108a64a37ea58e7

Analysis

max time kernel
42s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Size

149KB
MD5

4012045460206ff1153ee15c957874e5
SHA1

e5ce8eb6ffd88418e52e9ba6c781939dc6760838
SHA256

5facb6ab81515930978b8aca1a70ff2c9a899b82b078f0a56108a64a37ea58e7
SHA512

18d28132d6a4017b260d9e6b6d2a2f22488eb767e577763fcbaa245b3cb748a8711ef32488584bf12fabf91c51b5094aea3ea8090fc6582718e878001420245a
SSDEEP

3072:vzYoutPgyj8gRXYhOLdhulE5Vuvy0VYZSagWM3ZP:bYoSPgQX1LSlQuvy0VYZkL

Score

8^/10

defense_evasion evasion persistence upx

Malware Config

Signatures

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2732	mcvsvr.exe
1520	mcvsvr.exe
2200	mcvsvr.exe
1744	mcvsvr.exe
2996	mcvsvr.exe
2316	mcvsvr.exe
1636	mcvsvr.exe
2156	mcvsvr.exe
3020	mcvsvr.exe
2552	mcvsvr.exe
2364	mcvsvr.exe
2908	mcvsvr.exe
1524	mcvsvr.exe
2280	mcvsvr.exe
1596	mcvsvr.exe
1728	mcvsvr.exe
1520	mcvsvr.exe
2908	mcvsvr.exe
2448	mcvsvr.exe
1760	mcvsvr.exe
2896	mcvsvr.exe
1368	mcvsvr.exe
1988	mcvsvr.exe
2808	mcvsvr.exe
2536	mcvsvr.exe
1628	mcvsvr.exe
1572	mcvsvr.exe
3016	mcvsvr.exe
3060	mcvsvr.exe
2116	mcvsvr.exe
2652	mcvsvr.exe
2924	mcvsvr.exe
1384	mcvsvr.exe
3016	mcvsvr.exe
3060	mcvsvr.exe
2688	mcvsvr.exe
2452	mcvsvr.exe
2924	mcvsvr.exe
2332	mcvsvr.exe
2392	mcvsvr.exe
2932	mcvsvr.exe
900	mcvsvr.exe
1392	mcvsvr.exe
2848	mcvsvr.exe
1868	mcvsvr.exe
2828	mcvsvr.exe
932	mcvsvr.exe
2584	mcvsvr.exe
2140	mcvsvr.exe
1604	mcvsvr.exe
2600	mcvsvr.exe
2644	mcvsvr.exe
1988	mcvsvr.exe
2648	mcvsvr.exe
2160	mcvsvr.exe
1796	mcvsvr.exe
2600	mcvsvr.exe
668	mcvsvr.exe
2112	mcvsvr.exe
3048	mcvsvr.exe
2160	mcvsvr.exe
2928	mcvsvr.exe
2600	mcvsvr.exe
2060	mcvsvr.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe

Loads dropped DLL 64 IoCs

pid	Process
2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
2732	mcvsvr.exe
2732	mcvsvr.exe
1520	mcvsvr.exe
1520	mcvsvr.exe
2200	mcvsvr.exe
2200	mcvsvr.exe
1744	mcvsvr.exe
1744	mcvsvr.exe
2996	mcvsvr.exe
2996	mcvsvr.exe
2316	mcvsvr.exe
2316	mcvsvr.exe
1636	mcvsvr.exe
1636	mcvsvr.exe
2156	mcvsvr.exe
2156	mcvsvr.exe
3020	mcvsvr.exe
3020	mcvsvr.exe
2552	mcvsvr.exe
2552	mcvsvr.exe
2364	mcvsvr.exe
2364	mcvsvr.exe
2908	mcvsvr.exe
2908	mcvsvr.exe
1524	mcvsvr.exe
1524	mcvsvr.exe
2280	mcvsvr.exe
2280	mcvsvr.exe
1596	mcvsvr.exe
1596	mcvsvr.exe
1728	mcvsvr.exe
1728	mcvsvr.exe
1520	mcvsvr.exe
1520	mcvsvr.exe
2908	mcvsvr.exe
2908	mcvsvr.exe
2448	mcvsvr.exe
2448	mcvsvr.exe
1760	mcvsvr.exe
1760	mcvsvr.exe
2896	mcvsvr.exe
2896	mcvsvr.exe
1368	mcvsvr.exe
1368	mcvsvr.exe
1988	mcvsvr.exe
1988	mcvsvr.exe
2808	mcvsvr.exe
2808	mcvsvr.exe
2536	mcvsvr.exe
2536	mcvsvr.exe
1628	mcvsvr.exe
1628	mcvsvr.exe
1572	mcvsvr.exe
1572	mcvsvr.exe
3016	mcvsvr.exe
3016	mcvsvr.exe
3060	mcvsvr.exe
3060	mcvsvr.exe
2116	mcvsvr.exe
2116	mcvsvr.exe
2652	mcvsvr.exe
2652	mcvsvr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2968-0-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/files/0x0007000000012119-5.dat	upx
behavioral1/memory/2968-11-0x0000000003100000-0x0000000003152000-memory.dmp	upx
behavioral1/memory/2732-16-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2968-17-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2732-29-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1520-27-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1520-39-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2200-40-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1744-49-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2200-51-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1744-60-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2996-61-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2996-71-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2316-69-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2316-79-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1636-89-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2156-88-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2156-97-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/3020-98-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/3020-109-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2552-107-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2552-117-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2364-118-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2908-127-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2364-129-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1524-136-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2908-138-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2280-147-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1524-149-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1596-153-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2280-154-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1596-159-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1728-164-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1520-167-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2908-173-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2448-178-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1760-182-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2896-183-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2896-189-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1368-187-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1368-194-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1988-195-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1988-201-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2808-200-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2808-207-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1628-212-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2536-214-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1628-218-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1572-219-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1572-225-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/3016-229-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/3060-230-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/3060-237-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2116-235-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2652-242-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2116-241-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2652-248-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1384-255-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/2924-254-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/1384-262-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/3016-260-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/3016-268-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral1/memory/3060-266-0x0000000000010000-0x0000000000062000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2732	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1520	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2200	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1744	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2996	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2316	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1636	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2156	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3020	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2552	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2364	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2908	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1524	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2280	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1596	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1728	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1520	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2908	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2448	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1760	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2896	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1368	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1988	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2808	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2536	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1628	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1572	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3016	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3060	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2116	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2652	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2924	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1384	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3016	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3060	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2688	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2452	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2924	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2332	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2392	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2932	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	900	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1392	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2848	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1868	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2828	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	932	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2584	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2140	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1604	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2600	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2644	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1988	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2648	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2160	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1796	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2600	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	668	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2112	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3048	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2160	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2928	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2600	mcvsvr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2732	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2732	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2732	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2732	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2836	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	31
PID 2968 wrote to memory of 2836	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	31
PID 2968 wrote to memory of 2836	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	31
PID 2968 wrote to memory of 2836	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	31
PID 2968 wrote to memory of 2744	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	32
PID 2968 wrote to memory of 2744	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	32
PID 2968 wrote to memory of 2744	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	32
PID 2968 wrote to memory of 2744	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	32
PID 2968 wrote to memory of 2728	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	33
PID 2968 wrote to memory of 2728	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	33
PID 2968 wrote to memory of 2728	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	33
PID 2968 wrote to memory of 2728	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	33
PID 2968 wrote to memory of 2488	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	34
PID 2968 wrote to memory of 2488	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	34
PID 2968 wrote to memory of 2488	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	34
PID 2968 wrote to memory of 2488	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	34
PID 2968 wrote to memory of 2804	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	35
PID 2968 wrote to memory of 2804	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	35
PID 2968 wrote to memory of 2804	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	35
PID 2968 wrote to memory of 2804	2968	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	35
PID 2732 wrote to memory of 1520	2732	mcvsvr.exe	41
PID 2732 wrote to memory of 1520	2732	mcvsvr.exe	41
PID 2732 wrote to memory of 1520	2732	mcvsvr.exe	41
PID 2732 wrote to memory of 1520	2732	mcvsvr.exe	41
PID 2732 wrote to memory of 2064	2732	mcvsvr.exe	42
PID 2732 wrote to memory of 2064	2732	mcvsvr.exe	42
PID 2732 wrote to memory of 2064	2732	mcvsvr.exe	42
PID 2732 wrote to memory of 2064	2732	mcvsvr.exe	42
PID 2732 wrote to memory of 328	2732	mcvsvr.exe	98
PID 2732 wrote to memory of 328	2732	mcvsvr.exe	98
PID 2732 wrote to memory of 328	2732	mcvsvr.exe	98
PID 2732 wrote to memory of 328	2732	mcvsvr.exe	98
PID 2732 wrote to memory of 1080	2732	mcvsvr.exe	44
PID 2732 wrote to memory of 1080	2732	mcvsvr.exe	44
PID 2732 wrote to memory of 1080	2732	mcvsvr.exe	44
PID 2732 wrote to memory of 1080	2732	mcvsvr.exe	44
PID 2732 wrote to memory of 1704	2732	mcvsvr.exe	45
PID 2732 wrote to memory of 1704	2732	mcvsvr.exe	45
PID 2732 wrote to memory of 1704	2732	mcvsvr.exe	45
PID 2732 wrote to memory of 1704	2732	mcvsvr.exe	45
PID 2732 wrote to memory of 2004	2732	mcvsvr.exe	47
PID 2732 wrote to memory of 2004	2732	mcvsvr.exe	47
PID 2732 wrote to memory of 2004	2732	mcvsvr.exe	47
PID 2732 wrote to memory of 2004	2732	mcvsvr.exe	47
PID 1520 wrote to memory of 2200	1520	mcvsvr.exe	52
PID 1520 wrote to memory of 2200	1520	mcvsvr.exe	52
PID 1520 wrote to memory of 2200	1520	mcvsvr.exe	52
PID 1520 wrote to memory of 2200	1520	mcvsvr.exe	52
PID 1520 wrote to memory of 2156	1520	mcvsvr.exe	107
PID 1520 wrote to memory of 2156	1520	mcvsvr.exe	107
PID 1520 wrote to memory of 2156	1520	mcvsvr.exe	107
PID 1520 wrote to memory of 2156	1520	mcvsvr.exe	107
PID 1520 wrote to memory of 1648	1520	mcvsvr.exe	113
PID 1520 wrote to memory of 1648	1520	mcvsvr.exe	113
PID 1520 wrote to memory of 1648	1520	mcvsvr.exe	113
PID 1520 wrote to memory of 1648	1520	mcvsvr.exe	113
PID 1520 wrote to memory of 1656	1520	mcvsvr.exe	111
PID 1520 wrote to memory of 1656	1520	mcvsvr.exe	111
PID 1520 wrote to memory of 1656	1520	mcvsvr.exe	111
PID 1520 wrote to memory of 1656	1520	mcvsvr.exe	111

C:\Users\Admin\AppData\Local\Temp\4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4012045460206ff1153ee15c957874e5_JaffaCakes118.exe"
1⤵
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\mcvsvr.exe
  "C:\Windows\system32\mcvsvr.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\mcvsvr.exe
    "C:\Windows\system32\mcvsvr.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\mcvsvr.exe
      "C:\Windows\system32\mcvsvr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:2200
    - - C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
      - C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        19⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        23⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        25⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        30⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        34⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        36⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        37⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        40⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        44⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        46⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        48⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        63⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        65⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2060
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        66⤵
        Adds Run key to start application
        
        PID:3000
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        67⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2708
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        68⤵
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        69⤵
        Adds Run key to start application
        
        PID:332
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        70⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:576
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        71⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        72⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        73⤵
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        74⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        75⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        76⤵
        Drops file in Drivers directory
        
        PID:576
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        77⤵
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        78⤵
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        79⤵
        Drops file in Drivers directory
        
        PID:1864
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        80⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1592
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        81⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        82⤵
        
        PID:576
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        83⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        84⤵
        Adds Run key to start application
        
        PID:992
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        85⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        87⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        88⤵
        Drops file in Drivers directory
        
        PID:576
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        89⤵
        Drops file in Drivers directory
        
        PID:2840
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        90⤵
        Drops file in Drivers directory
        
        PID:808
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        91⤵
        Drops file in Drivers directory
        
        PID:3036
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        92⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        93⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1536
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        94⤵
        Drops file in Drivers directory
        
        PID:2928
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        95⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        96⤵
        Adds Run key to start application
        
        PID:1508
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        97⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        98⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        99⤵
        Drops file in Drivers directory
        
        PID:1104
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        100⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2864
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        101⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        102⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        103⤵
        Drops file in Drivers directory
        
        PID:1920
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        104⤵
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        105⤵
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        106⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:580
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        107⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        108⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        109⤵
        Adds Run key to start application
        
        PID:1536
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        110⤵
        Drops file in Drivers directory
        
        PID:2928
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        111⤵
        Drops file in Drivers directory
        
        PID:1640
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        112⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        113⤵
        Drops file in Drivers directory
        
        PID:1808
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        114⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        115⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        116⤵
        Drops file in Drivers directory
        
        PID:1172
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        117⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        118⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        119⤵
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        120⤵
        Drops file in Drivers directory
        
        PID:2636
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        121⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1816
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        122⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        123⤵
        Drops file in Drivers directory
        
        PID:1720
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        124⤵
        Adds Run key to start application
        
        PID:1984
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        125⤵
        Drops file in Drivers directory
        
        PID:1820
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        126⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        127⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        128⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        129⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2416
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        130⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        131⤵
        
        PID:684
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        132⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        133⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2656
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        134⤵
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        135⤵
        Drops file in Drivers directory
        
        PID:3020
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        136⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        137⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2204
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        138⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2992
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        139⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        140⤵
        Drops file in System32 directory
        
        PID:808
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        141⤵
        Adds Run key to start application
        
        PID:3008
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        142⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1696
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        143⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        144⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        145⤵
        Drops file in Drivers directory
        
        PID:2964
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        146⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        147⤵
        Drops file in System32 directory
        
        PID:684
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        148⤵
        Drops file in Drivers directory
        
        PID:2828
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        149⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2676
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        150⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        151⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        152⤵
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        153⤵
        Adds Run key to start application
        
        PID:2412
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        154⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        155⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        156⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1972
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        157⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        157⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        157⤵
        
        PID:568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        157⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        157⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        156⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        156⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        156⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        156⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        156⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        155⤵
        
        PID:848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        155⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        155⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        155⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        155⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        154⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        154⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        154⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        154⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        154⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        153⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        153⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        153⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        153⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        153⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        152⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        152⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        152⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        152⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        152⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        151⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        151⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        151⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        151⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        151⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        150⤵
        
        PID:996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        150⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        150⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        150⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        150⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        149⤵
        
        PID:804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        149⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        149⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        149⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        149⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        148⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        148⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        148⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        148⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        148⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        147⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        147⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        147⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        147⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        147⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        146⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        146⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        146⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        146⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        146⤵
        
        PID:808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        145⤵
        
        PID:264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        145⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        145⤵
        
        PID:992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        145⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        145⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        144⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        144⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        144⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        144⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        144⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        143⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        143⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        143⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        143⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        143⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        142⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        142⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        142⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        142⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        142⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        141⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        141⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        141⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        141⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        141⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        140⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        140⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        140⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        140⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        140⤵
        
        PID:332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        139⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        139⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        139⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        139⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        139⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        138⤵
        
        PID:904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        138⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        138⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        138⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        138⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        137⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        137⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        137⤵
        
        PID:356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        137⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        137⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        136⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        136⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        136⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        136⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        136⤵
        
        PID:932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        135⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        135⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        135⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        135⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        135⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        134⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        134⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        134⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        134⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        134⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        133⤵
        
        PID:860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        133⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        133⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        133⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        133⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        132⤵
        
        PID:744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        132⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        132⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        132⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        132⤵
        
        PID:876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        131⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        131⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        131⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        131⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        131⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        130⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        130⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        130⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        130⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        130⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        129⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        129⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        129⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        129⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        129⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        128⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        128⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        128⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        128⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        128⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        127⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        127⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        127⤵
        
        PID:580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        127⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        127⤵
        
        PID:988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        126⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        126⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        126⤵
        
        PID:784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        126⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        126⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        125⤵
        
        PID:588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        125⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        125⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        125⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        125⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        124⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        124⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        124⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        124⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        124⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        123⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        123⤵
        
        PID:912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        123⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        123⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        123⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        122⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        122⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        122⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        122⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        122⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        121⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        121⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        121⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        121⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        121⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        120⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        120⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        120⤵
        
        PID:604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        120⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        120⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        119⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        119⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        119⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        119⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        119⤵
        
        PID:288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        118⤵
        
        PID:716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        118⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        118⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        118⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        118⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        117⤵
        
        PID:988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        117⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        117⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        117⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        117⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        116⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        116⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        116⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        116⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        116⤵
        
        PID:900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        115⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        115⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        115⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        115⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        115⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        114⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        114⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        114⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        114⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        114⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        113⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        113⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        113⤵
        
        PID:916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        113⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        113⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        112⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        112⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        112⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        112⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        112⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        111⤵
        
        PID:984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        111⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        111⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        111⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        111⤵
        
        PID:744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        110⤵
        
        PID:332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        110⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        110⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        110⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        110⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        109⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        109⤵
        
        PID:944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        109⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        109⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        109⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        108⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        108⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        108⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        108⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        108⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        107⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        107⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        107⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        107⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        107⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        106⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        106⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        106⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        106⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        106⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        105⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        105⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        105⤵
        
        PID:684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        105⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        105⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        104⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        104⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        104⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        104⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        104⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        103⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        103⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        103⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        103⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        103⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        102⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        102⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        102⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        102⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        102⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        101⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        101⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        101⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        101⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        101⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        100⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        100⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        100⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        100⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        100⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        99⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        99⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        99⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        99⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        99⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        98⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        98⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        98⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        98⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        98⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        97⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        97⤵
        
        PID:356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        97⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        97⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        97⤵
        
        PID:828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        96⤵
        
        PID:744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        96⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        96⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        96⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        96⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        95⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        95⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        95⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        95⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        95⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        94⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        94⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        94⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        94⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        94⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        93⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        93⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        93⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        93⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        93⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        92⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        92⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        92⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        92⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        92⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        91⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        91⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        91⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        91⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        91⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        90⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        90⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        90⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        90⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        90⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        89⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        89⤵
        
        PID:848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        89⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        89⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        89⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        88⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        88⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        88⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        88⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        88⤵
        
        PID:840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        87⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        87⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        87⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        87⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        87⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        86⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        86⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        86⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        86⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        86⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        85⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        85⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        85⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        85⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        85⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        84⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        84⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        84⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        84⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        84⤵
        
        PID:288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        83⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        83⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        83⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        83⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        83⤵
        
        PID:912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        82⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        82⤵
        
        PID:448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        82⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        82⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        82⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        81⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        81⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        81⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        81⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        81⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        80⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        80⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        80⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        80⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        80⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        79⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        79⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        79⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        79⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        79⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        78⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        78⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        78⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        78⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        78⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        77⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        77⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        77⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        77⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        77⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        76⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        76⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        76⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        76⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        76⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        75⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        75⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        75⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        75⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        75⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        74⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        74⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        74⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        74⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        74⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        73⤵
        
        PID:988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        73⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        73⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        73⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        73⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        72⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        72⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        72⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        72⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        72⤵
        
        PID:528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        71⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        71⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        71⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        71⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        71⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        70⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        70⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        70⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        70⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        70⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        69⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        69⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        69⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        69⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        69⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        68⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        68⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        68⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        68⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        68⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        67⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        67⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        67⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        66⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        66⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        66⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        66⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        66⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        65⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        65⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        65⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        64⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        64⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        64⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        64⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        64⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        63⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        63⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        63⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        62⤵
        
        PID:632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        62⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        62⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        62⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        62⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        61⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        61⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        61⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        60⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        60⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        60⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        60⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        60⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        59⤵
        
        PID:880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        59⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        59⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        58⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        58⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        58⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        58⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        58⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        57⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        57⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        57⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        56⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        56⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        56⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        56⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        56⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        55⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        55⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        55⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        54⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        54⤵
        
        PID:588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        54⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        54⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        54⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        53⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        53⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        53⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        52⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        52⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        52⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        52⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        52⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        51⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        51⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        51⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        50⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        50⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        50⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        50⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        50⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        49⤵
        
        PID:840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        49⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        49⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        48⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        48⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        48⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        48⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        48⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        47⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        47⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        47⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        46⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        46⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        46⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        46⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        46⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        45⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        45⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        45⤵
        
        PID:860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        44⤵
        
        PID:840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        44⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        44⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        44⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        44⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        43⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        43⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        43⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        42⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        42⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        42⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        42⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        42⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        41⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        41⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        41⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        40⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        40⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        40⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        40⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        40⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        39⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        39⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        39⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        38⤵
        
        PID:848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        38⤵
        
        PID:528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        38⤵
        
        PID:632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        38⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        38⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        37⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        37⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        37⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        36⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        36⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        36⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        36⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        36⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        35⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        35⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        35⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        34⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        34⤵
        
        PID:588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        34⤵
        
        PID:668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        34⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        34⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        
        PID:528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        33⤵
        
        PID:580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        33⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        33⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        32⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        32⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        32⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        32⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        32⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        31⤵
        
        PID:836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        31⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        31⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        30⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        30⤵
        
        PID:380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        30⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        30⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        30⤵
        
        PID:860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        29⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        29⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        29⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        28⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        28⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        28⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        28⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        28⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        27⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        27⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        27⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        26⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        26⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        26⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        26⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        26⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        25⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        25⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        25⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        24⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        24⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        24⤵
        
        PID:876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        24⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        24⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        23⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        23⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        23⤵
        
        PID:496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        22⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        22⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        22⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        22⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        22⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        21⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        21⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        21⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        20⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        20⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        20⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        20⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        20⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        19⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        19⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        19⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        18⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        18⤵
        
        PID:828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        18⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        18⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        18⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        17⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        17⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        17⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        16⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        16⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        16⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        16⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        16⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        15⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        15⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        15⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        14⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        14⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        14⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        14⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        14⤵
        
        PID:988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        13⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        13⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        13⤵
        
        PID:356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        12⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        12⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        12⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        12⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        12⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        11⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        11⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        11⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        10⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        10⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        10⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        10⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        10⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        9⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        9⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        9⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        8⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        8⤵
        
        PID:328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        8⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        8⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        7⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        7⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        7⤵
        
        PID:2804
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        6⤵
        
        PID:2356
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        6⤵
        
        PID:2408
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        6⤵
        
        PID:2216
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        6⤵
        
        PID:2368
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        6⤵
        
        PID:2372
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:1808
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:904
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        5⤵
        
        PID:912
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        5⤵
        
        PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        5⤵
        
        PID:716
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
      4⤵
      PID:568
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:328
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
    3⤵
    PID:2004
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:2836
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:2744
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:2728
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:2488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\401204~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1716898641-1494450695777837726722793443373524715-131844369216763514971920881537"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-297448470-743723161-626639913-1527317955-6900317961359308529646299443-1312209210"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "199540464518655743112740466051844926966-879809774-1723901643-321427215-1277509655"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "301419947-873666521-1180643947-1714169497-2093898239535752295-117785412-532263392"
1⤵
PID:2992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1935708056178551439216960804561427598395-814840833-17842955971492197051-363984068"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9436181601364747843-162439493-270185676-1877970047463223833918199228787716049"
1⤵
PID:1520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1678958596-188518032813797066951023927834-405664481-275518726-1102410736502072481"
1⤵
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-171003366818420744671252589758618291380-1530092642276134367-58604871368850756"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-295583776-1163874955-1347047917-106033895-1883041107-2004488836-1628916951-1777438004"
1⤵
PID:2744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5566198171679146816-2141833393783018894-1551396520-1898385262-955398975-1733475973"
1⤵
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-176778233565020478-826405072069604346-136580586173425217-551217371991896338"
1⤵
PID:496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4341316081006337803-1652680025-78865332143977723762109180923399822-990004835"
1⤵
PID:356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1893320097-2143124075314370187857247695183244253977510258-1557873009-969095044"
1⤵
PID:1220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1754980065581826190-298457778-1603532864-1240087255858255399-2922259351882306981"
1⤵
PID:408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1287051460-1814086261754694120-1253246556-710367361-567280011208450194-2119355862"
1⤵
PID:1580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "964076799-1868631670-74425476945903879-179236120422845979610553324502064667035"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1286417964-1972708740-4340913951600879257-2126953998498735401-1962264617-223854576"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-341573848-106901733418692895301524114456-16852096374260107081982227163-1969888131"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1420421108-31033534465757708-16165870849192068841040526199-268422518712638012"
1⤵
PID:1148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1196407872-1426815734-493186278-19349252812787955383737965262047922576253057952"
1⤵
PID:1368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1403819971668812981-1977055228-47082223310465460701800057115825739944-1532040182"
1⤵
PID:876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11100350072741415911262559997392062829-1092823772-427950658-1955004546-1461218300"
1⤵
PID:1412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-773150140172656315616659058411347557-17408914495295345422032636761-603730544"
1⤵
PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-200588582-599098416-1719571065-1374861806-1448654685-1438652011960848587-13007958"
1⤵
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1708109765-1220004222671442261-1328583095-1396569197-3788580141523293257-1258287615"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1387459370-1420794401-102373856-1564431095-332908379-1273741463-1392819286-207143847"
1⤵
PID:2252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-206988975-1332782668-1322051695116515882573131061176622808433636960-695527215"
1⤵
PID:576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1014387356-936226153-1818365436-3034991268038509681488707673-450196009-1162650137"
1⤵
PID:2356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-909670871-805305471185698180123171297430692383611353420531266745155419738426"
1⤵
PID:836

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1350145499-296887400622239331421077608-542033349-635341622-1224177846-748880618"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "109423620010413018001229144200-865928871-1642738537-1735685482-2081684268920084553"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1685163352-364101420167045156797261377-146574469619953948411068323306645640807"
1⤵
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "106778871772444311415709657075065479882329893415768659019533205901326168185"
1⤵
PID:2208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1563088095-2097180273862996070940276941-323275-15087009054933412511881087633"
1⤵
PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1023532097-8433621301064088945140574753119959302517360489221488999531-446066822"
1⤵
PID:3020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "67586285481698671-79496549-24906186-642920945-1578529054-798817539-436244924"
1⤵
PID:1784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-517844624431230597192003941513057425682103691024636230370-1578170215-923084309"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1418673705-338663218-1428165088-120952047-626441901200394485-1920951325-115817672"
1⤵
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1295825152-16098336115772845781872759328-19737913941852557200950429328-1197611293"
1⤵
PID:380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "152208455418863553001825187911454618390-16502249531565752297-1698089937-810682461"
1⤵
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2930161251566661259142314053-9139958318325670396368743211233247751-1220414830"
1⤵
PID:2752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2082647001488859240-791424304-343240732145053868717277398242106009334-601525599"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1649291053-557422-3764500651620605009-526575158394188945645754306-53979065"
1⤵
PID:2688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "702310821515457244-1123072518-886930001380670133-566319549-698526427-45282101"
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "109882097142737960239825958-1976891759145791229218246581551629927622581533054"
1⤵
PID:2156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3266871221426578993-11705908083526444241734153106-1761847739-1224535083-1743452158"
1⤵
PID:3064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1546658722654115391-1139154408-234361498-1806417806-1519219786-292642928-916590356"
1⤵
PID:860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-792626092-1996074538-53831425910502418718817182416996590421539395499836011557"
1⤵
PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-298176821-414683602-7318108051982132588-137348709220447697361701708993730603251"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1365885867-1529874646-668947510-1256005753-66627632610249906021874976652-821596914"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1452565543970974189-176003164-2047275155-1042040382094807722936600263-177515620"
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-686777489-1840499741933146005-934142862866162031374645152240959180-2111009415"
1⤵
PID:2452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1049358483-21031765831483421826-2880823761115339236-8551926971491804986-620437203"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2068083446-614604436-1018208400-511728461497381770137653158-18757415592113211244"
1⤵
PID:840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1522520756-26406379791415500-1557044090-218418360-1849802870509850280-171776237"
1⤵
PID:2772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15712408711606205869-538534702-973299762-339747231-178521424419028002531295315376"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2055650869373886637-1555462159-18280654576433794511547031911577186197773746117"
1⤵
PID:848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2140661670-52528681383376098-16699467361651643931-700912661-1222560885704723650"
1⤵
PID:1072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-89734205764690760-69415492288145108-1814555593-1041165343977207390-899814512"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1579932357-3718602281768074042690861267-995652658-12235015911147541387-770540607"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2134860600304166310-13300832-1906362082-1653635552-29663739511962928301636679492"
1⤵
PID:1868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1188862033-2076273502-1903768642-151157996-236844461-1111863222-14971550031842836824"
1⤵
PID:1352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "45116507-1974032666-461464716-9905432101219477340-1006899969-103180851663722318"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10377367020001696436924932-685880141-5922508959539757943710427051385437007"
1⤵
PID:1760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2816971152092903449579349605629651649-16372763291523265899-11562190941321893413"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1456646267-621730105-1496615397-659195348-1064628599-1809032202976278245-104810440"
1⤵
PID:1236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "137144950312383111851910118423-1178398564222889224-40754612-348498451-137741834"
1⤵
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1497682534173008636154668651617237673111035607095-1299916960-20197768881308259955"
1⤵
PID:1904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-922333326-1702403891-82471696470991565019803448001493444741371680020132573914"
1⤵
PID:632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2071613697-7822148891996254887-3619502112319431801160966115519846487577408774"
1⤵
PID:528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-58034053015554794081829950859-155462583620432770031978336835-452476000927924920"
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6264720891183717002458564273-1197179597-2020352458-12045380215524560171233527721"
1⤵
PID:1292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1210951510-902002250-525220265-2119059969-209069320617857529736360796101629376640"
1⤵
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1092263337-113256927-28715483315598022452094839621-117319459-1936544315987456509"
1⤵
PID:2248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1696776447325864555256100752-1814090861-935111367127424431678855188-1214755925"
1⤵
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18823801381808569165-1870523548-2044034034-301004609-1900273823-151614772924117469"
1⤵
PID:900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2106757325-18182300622120666384952500083-2014606790-117065256074007801-323527786"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-967278861844086144-353016124187815558-1390551728-77010965-11046036451919157259"
1⤵
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "107834761-635346466-1493371686219250169-11315563171082300619-507349539200302033"
1⤵
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-654792339-953291523-48448827430329232416342277618315252082072682861-1896789531"
1⤵
PID:1304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-956978069776787762-187030664-870137831-28433719047564210019476865511372691546"
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1157121773-1283834945-2077555164-149657941-289000431-4235036641846469763-266979872"
1⤵
PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1933203933-1574986450-670222279-1994817557-19519732461034046271-1931812547775712179"
1⤵
PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8915401602139311981-1783450349-27978522922312390505205978-126302202851434446"
1⤵
PID:860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-342047647-9694246581164471971-610871444-1495517992118773508017388102741584830349"
1⤵
PID:1868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-68235087-8862811261618871604-10280644091812718282-5030431662101041889276971846"
1⤵
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1274867368-6880573481085297897-611567208-1476806087-12235379581385968353-304412947"
1⤵
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\drivers\etc\hosts

Filesize
11KB

MD5
f09964b9e0560deb4a211fcdf11ff155

SHA1
35106780792cfd2964ded2abe62d68134ed53f4b

SHA256
d85f05042c26521acfe39770e4ac07b59504f59a3ab4483b025fbb6f58c4c712

SHA512
1467cac9fb5dfa6c5c3333f742548209e2611dfce3ea27ffc0d19ad526204a6ed3504d26e2fc430b45834e612157b9147af1d63996ee99c34d4f52299b68489a

Download Submit
\Windows\SysWOW64\mcvsvr.exe

Filesize
149KB

MD5
4012045460206ff1153ee15c957874e5

SHA1
e5ce8eb6ffd88418e52e9ba6c781939dc6760838

SHA256
5facb6ab81515930978b8aca1a70ff2c9a899b82b078f0a56108a64a37ea58e7

SHA512
18d28132d6a4017b260d9e6b6d2a2f22488eb767e577763fcbaa245b3cb748a8711ef32488584bf12fabf91c51b5094aea3ea8090fc6582718e878001420245a

Download Submit
memory/1368-187-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1368-191-0x0000000003030000-0x0000000003082000-memory.dmp

Filesize
328KB

Download
memory/1368-194-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1384-262-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1384-259-0x00000000031B0000-0x0000000003202000-memory.dmp

Filesize
328KB

Download
memory/1384-256-0x00000000031B0000-0x0000000003202000-memory.dmp

Filesize
328KB

Download
memory/1384-255-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1520-38-0x0000000003210000-0x0000000003262000-memory.dmp

Filesize
328KB

Download
memory/1520-167-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1520-37-0x0000000003210000-0x0000000003262000-memory.dmp

Filesize
328KB

Download
memory/1520-39-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1520-27-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1524-149-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1524-136-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1524-141-0x00000000031B0000-0x0000000003202000-memory.dmp

Filesize
328KB

Download
memory/1524-142-0x00000000031B0000-0x0000000003202000-memory.dmp

Filesize
328KB

Download
memory/1572-225-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1572-220-0x00000000032A0000-0x00000000032F2000-memory.dmp

Filesize
328KB

Download
memory/1572-219-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1572-223-0x00000000032A0000-0x00000000032F2000-memory.dmp

Filesize
328KB

Download
memory/1596-155-0x00000000030C0000-0x0000000003112000-memory.dmp

Filesize
328KB

Download
memory/1596-159-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1596-153-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1596-156-0x00000000030C0000-0x0000000003112000-memory.dmp

Filesize
328KB

Download
memory/1628-218-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1628-212-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1636-82-0x00000000033C0000-0x0000000003412000-memory.dmp

Filesize
328KB

Download
memory/1636-83-0x00000000033C0000-0x0000000003412000-memory.dmp

Filesize
328KB

Download
memory/1636-89-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1728-164-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1744-54-0x00000000031F0000-0x0000000003242000-memory.dmp

Filesize
328KB

Download
memory/1744-60-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1744-49-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1760-182-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1988-196-0x0000000003490000-0x00000000034E2000-memory.dmp

Filesize
328KB

Download
memory/1988-201-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1988-197-0x0000000003490000-0x00000000034E2000-memory.dmp

Filesize
328KB

Download
memory/1988-195-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2116-235-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2116-241-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2156-88-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2156-97-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2200-48-0x0000000001ED0000-0x0000000001F22000-memory.dmp

Filesize
328KB

Download
memory/2200-51-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2200-40-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2280-147-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2280-154-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2316-69-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2316-79-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2364-118-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2364-129-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2364-122-0x0000000003380000-0x00000000033D2000-memory.dmp

Filesize
328KB

Download
memory/2448-176-0x00000000036C0000-0x0000000003712000-memory.dmp

Filesize
328KB

Download
memory/2448-178-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2536-211-0x0000000003190000-0x00000000031E2000-memory.dmp

Filesize
328KB

Download
memory/2536-214-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2536-208-0x0000000003190000-0x00000000031E2000-memory.dmp

Filesize
328KB

Download
memory/2552-107-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2552-117-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2652-243-0x0000000003380000-0x00000000033D2000-memory.dmp

Filesize
328KB

Download
memory/2652-244-0x0000000003380000-0x00000000033D2000-memory.dmp

Filesize
328KB

Download
memory/2652-248-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2652-242-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2732-21-0x0000000002AD0000-0x0000000002B22000-memory.dmp

Filesize
328KB

Download
memory/2732-29-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2732-16-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2808-207-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2808-205-0x0000000003150000-0x00000000031A2000-memory.dmp

Filesize
328KB

Download
memory/2808-204-0x0000000003150000-0x00000000031A2000-memory.dmp

Filesize
328KB

Download
memory/2808-200-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2896-183-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2896-186-0x0000000002FF0000-0x0000000003042000-memory.dmp

Filesize
328KB

Download
memory/2896-189-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2908-127-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2908-171-0x0000000002C10000-0x0000000002C62000-memory.dmp

Filesize
328KB

Download
memory/2908-138-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2908-173-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2924-254-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2924-252-0x0000000002FF0000-0x0000000003042000-memory.dmp

Filesize
328KB

Download
memory/2924-251-0x0000000002FF0000-0x0000000003042000-memory.dmp

Filesize
328KB

Download
memory/2968-0-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2968-11-0x0000000003100000-0x0000000003152000-memory.dmp

Filesize
328KB

Download
memory/2968-12-0x0000000003100000-0x0000000003152000-memory.dmp

Filesize
328KB

Download
memory/2968-1-0x0000000000041000-0x0000000000061000-memory.dmp

Filesize
128KB

Download
memory/2968-17-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2968-18-0x0000000000041000-0x0000000000061000-memory.dmp

Filesize
128KB

Download
memory/2996-71-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2996-61-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3016-260-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3016-268-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3016-265-0x0000000003380000-0x00000000033D2000-memory.dmp

Filesize
328KB

Download
memory/3016-229-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3020-98-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3020-109-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3020-106-0x0000000003230000-0x0000000003282000-memory.dmp

Filesize
328KB

Download
memory/3060-237-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3060-231-0x0000000002840000-0x0000000002892000-memory.dmp

Filesize
328KB

Download
memory/3060-232-0x0000000002840000-0x0000000002892000-memory.dmp

Filesize
328KB

Download
memory/3060-230-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3060-266-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads