5facb6ab81515930978b8aca1a70ff2c9a899b82b078f0a56108a64a37ea58e7

Analysis

max time kernel
114s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Size

149KB
MD5

4012045460206ff1153ee15c957874e5
SHA1

e5ce8eb6ffd88418e52e9ba6c781939dc6760838
SHA256

5facb6ab81515930978b8aca1a70ff2c9a899b82b078f0a56108a64a37ea58e7
SHA512

18d28132d6a4017b260d9e6b6d2a2f22488eb767e577763fcbaa245b3cb748a8711ef32488584bf12fabf91c51b5094aea3ea8090fc6582718e878001420245a
SSDEEP

3072:vzYoutPgyj8gRXYhOLdhulE5Vuvy0VYZSagWM3ZP:bYoSPgQX1LSlQuvy0VYZkL

Score

8^/10

defense_evasion evasion persistence upx

Malware Config

Signatures

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mcvsvr.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	mcvsvr.exe

Executes dropped EXE 64 IoCs

pid	Process
756	mcvsvr.exe
3040	mcvsvr.exe
4392	mcvsvr.exe
4084	mcvsvr.exe
1200	mcvsvr.exe
3132	mcvsvr.exe
3244	mcvsvr.exe
5028	mcvsvr.exe
1416	mcvsvr.exe
3908	mcvsvr.exe
1232	mcvsvr.exe
5112	mcvsvr.exe
3544	mcvsvr.exe
5064	mcvsvr.exe
4840	mcvsvr.exe
4432	mcvsvr.exe
5100	mcvsvr.exe
2484	mcvsvr.exe
4796	mcvsvr.exe
1432	mcvsvr.exe
3896	mcvsvr.exe
2236	mcvsvr.exe
2676	mcvsvr.exe
4824	mcvsvr.exe
1120	mcvsvr.exe
4728	mcvsvr.exe
3500	mcvsvr.exe
2732	mcvsvr.exe
2928	mcvsvr.exe
4704	mcvsvr.exe
4004	mcvsvr.exe
2376	mcvsvr.exe
2984	mcvsvr.exe
3252	mcvsvr.exe
3708	mcvsvr.exe
1776	mcvsvr.exe
2232	mcvsvr.exe
1732	mcvsvr.exe
3244	mcvsvr.exe
4928	mcvsvr.exe
2052	mcvsvr.exe
508	mcvsvr.exe
4708	mcvsvr.exe
2664	mcvsvr.exe
3568	mcvsvr.exe
2588	mcvsvr.exe
4392	mcvsvr.exe
4800	mcvsvr.exe
4808	mcvsvr.exe
4240	mcvsvr.exe
4520	mcvsvr.exe
756	mcvsvr.exe
3500	mcvsvr.exe
1040	mcvsvr.exe
3708	mcvsvr.exe
4944	mcvsvr.exe
2636	mcvsvr.exe
3376	mcvsvr.exe
3164	mcvsvr.exe
3372	mcvsvr.exe
4536	mcvsvr.exe
368	mcvsvr.exe
3736	mcvsvr.exe
680	mcvsvr.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5044-0-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/5044-1-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/files/0x000b000000023474-7.dat	upx
behavioral2/memory/756-38-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/5044-40-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/756-47-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3040-45-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3040-53-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4392-59-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4084-65-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/1200-66-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3132-73-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/1200-72-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3132-79-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3244-80-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3244-86-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/5028-87-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/1416-94-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/5028-93-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3908-101-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/1416-100-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/1232-108-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3908-107-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/1232-114-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/5112-115-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/5112-121-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3544-127-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/5064-128-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4840-135-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/5064-134-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4840-141-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4432-147-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/5100-148-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/5100-154-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/2484-155-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4796-162-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/2484-161-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4796-167-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/1432-168-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/1432-174-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3896-175-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3896-181-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/2676-184-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/2236-186-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/2676-190-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4824-191-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4824-195-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4728-200-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/1120-199-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4728-204-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3500-208-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/2732-209-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/2928-214-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/2732-213-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/2928-218-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4004-223-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4704-222-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/4004-227-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/2376-231-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/2984-235-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3708-240-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3252-239-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/3708-244-0x0000000000010000-0x0000000000062000-memory.dmp	upx
behavioral2/memory/1776-248-0x0000000000010000-0x0000000000062000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\McAfee Internet Security = "mcvsvr.exe"	mcvsvr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	Process not Found
File created	C:\Windows\SysWOW64\mcvsvr.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	Process not Found
File created	C:\Windows\SysWOW64\mcvsvr.exe	Process not Found
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	Process not Found
File created	C:\Windows\SysWOW64\mcvsvr.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File created	C:\Windows\SysWOW64\mcvsvr.exe	mcvsvr.exe
File opened for modification	C:\Windows\SysWOW64\mcvsvr.exe	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mcvsvr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	756	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3040	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4392	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4084	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1200	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3132	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3244	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	5028	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1416	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3908	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1232	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	5112	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3544	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	5064	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4840	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4432	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	5100	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2484	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4796	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1432	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3896	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2236	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2676	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4824	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1120	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4728	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3500	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2732	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2928	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4704	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4004	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2376	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2984	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3252	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3708	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1776	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2232	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1732	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3244	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4928	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2052	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	508	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4708	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2664	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3568	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2588	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4392	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4800	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4808	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4240	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4520	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	756	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3500	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	1040	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3708	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4944	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	2636	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3376	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3164	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3372	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	4536	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	368	mcvsvr.exe
Token: SeIncBasePriorityPrivilege	3736	mcvsvr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 756	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	88
PID 5044 wrote to memory of 756	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	88
PID 5044 wrote to memory of 756	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	88
PID 5044 wrote to memory of 4684	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	89
PID 5044 wrote to memory of 4684	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	89
PID 5044 wrote to memory of 4684	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	89
PID 5044 wrote to memory of 4784	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	90
PID 5044 wrote to memory of 4784	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	90
PID 5044 wrote to memory of 4784	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	90
PID 5044 wrote to memory of 2428	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	91
PID 5044 wrote to memory of 2428	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	91
PID 5044 wrote to memory of 2428	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	91
PID 5044 wrote to memory of 3052	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	92
PID 5044 wrote to memory of 3052	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	92
PID 5044 wrote to memory of 3052	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	92
PID 5044 wrote to memory of 4896	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	94
PID 5044 wrote to memory of 4896	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	94
PID 5044 wrote to memory of 4896	5044	4012045460206ff1153ee15c957874e5_JaffaCakes118.exe	94
PID 756 wrote to memory of 3040	756	mcvsvr.exe	100
PID 756 wrote to memory of 3040	756	mcvsvr.exe	100
PID 756 wrote to memory of 3040	756	mcvsvr.exe	100
PID 756 wrote to memory of 2812	756	mcvsvr.exe	101
PID 756 wrote to memory of 2812	756	mcvsvr.exe	101
PID 756 wrote to memory of 2812	756	mcvsvr.exe	101
PID 756 wrote to memory of 2724	756	mcvsvr.exe	102
PID 756 wrote to memory of 2724	756	mcvsvr.exe	102
PID 756 wrote to memory of 2724	756	mcvsvr.exe	102
PID 756 wrote to memory of 2732	756	mcvsvr.exe	103
PID 756 wrote to memory of 2732	756	mcvsvr.exe	103
PID 756 wrote to memory of 2732	756	mcvsvr.exe	103
PID 756 wrote to memory of 2132	756	mcvsvr.exe	104
PID 756 wrote to memory of 2132	756	mcvsvr.exe	104
PID 756 wrote to memory of 2132	756	mcvsvr.exe	104
PID 756 wrote to memory of 2472	756	mcvsvr.exe	105
PID 756 wrote to memory of 2472	756	mcvsvr.exe	105
PID 756 wrote to memory of 2472	756	mcvsvr.exe	105
PID 3040 wrote to memory of 4392	3040	mcvsvr.exe	111
PID 3040 wrote to memory of 4392	3040	mcvsvr.exe	111
PID 3040 wrote to memory of 4392	3040	mcvsvr.exe	111
PID 3040 wrote to memory of 1128	3040	mcvsvr.exe	163
PID 3040 wrote to memory of 1128	3040	mcvsvr.exe	163
PID 3040 wrote to memory of 1128	3040	mcvsvr.exe	163
PID 3040 wrote to memory of 636	3040	mcvsvr.exe	113
PID 3040 wrote to memory of 636	3040	mcvsvr.exe	113
PID 3040 wrote to memory of 636	3040	mcvsvr.exe	113
PID 3040 wrote to memory of 3928	3040	mcvsvr.exe	157
PID 3040 wrote to memory of 3928	3040	mcvsvr.exe	157
PID 3040 wrote to memory of 3928	3040	mcvsvr.exe	157
PID 3040 wrote to memory of 3988	3040	mcvsvr.exe	115
PID 3040 wrote to memory of 3988	3040	mcvsvr.exe	115
PID 3040 wrote to memory of 3988	3040	mcvsvr.exe	115
PID 3040 wrote to memory of 528	3040	mcvsvr.exe	116
PID 3040 wrote to memory of 528	3040	mcvsvr.exe	116
PID 3040 wrote to memory of 528	3040	mcvsvr.exe	116
PID 4392 wrote to memory of 4084	4392	mcvsvr.exe	123
PID 4392 wrote to memory of 4084	4392	mcvsvr.exe	123
PID 4392 wrote to memory of 4084	4392	mcvsvr.exe	123
PID 4392 wrote to memory of 2796	4392	mcvsvr.exe	124
PID 4392 wrote to memory of 2796	4392	mcvsvr.exe	124
PID 4392 wrote to memory of 2796	4392	mcvsvr.exe	124
PID 4392 wrote to memory of 3708	4392	mcvsvr.exe	125
PID 4392 wrote to memory of 3708	4392	mcvsvr.exe	125
PID 4392 wrote to memory of 3708	4392	mcvsvr.exe	125
PID 4392 wrote to memory of 1272	4392	mcvsvr.exe	126

C:\Users\Admin\AppData\Local\Temp\4012045460206ff1153ee15c957874e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4012045460206ff1153ee15c957874e5_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\SysWOW64\mcvsvr.exe
  "C:\Windows\system32\mcvsvr.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\mcvsvr.exe
    "C:\Windows\system32\mcvsvr.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\mcvsvr.exe
      "C:\Windows\system32\mcvsvr.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
      - C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        7⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        13⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        16⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        17⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        18⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        20⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        21⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        22⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        31⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        34⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        36⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        38⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        40⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        43⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:508
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        44⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        45⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3568
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        48⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        49⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        50⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        51⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        53⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        55⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        59⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:680
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        66⤵
        
        PID:948
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        67⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        68⤵
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        69⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        70⤵
        Drops file in Drivers directory
        
        PID:3556
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        71⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        73⤵
        Adds Run key to start application
        
        PID:4112
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        74⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        75⤵
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        76⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:4268
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        77⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        78⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        79⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        82⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        83⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        84⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2164
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        85⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4160
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        86⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        87⤵
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        88⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        89⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        90⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:4388
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        91⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2556
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        92⤵
        Adds Run key to start application
        
        PID:3280
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        93⤵
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        94⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        95⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        96⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        97⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        98⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2392
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        99⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        100⤵
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        101⤵
        Checks computer location settings
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        102⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        103⤵
        Adds Run key to start application
        
        PID:3812
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        104⤵
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        105⤵
        Drops file in Drivers directory
        
        PID:3964
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        106⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        107⤵
        Drops file in Drivers directory
        
        PID:4548
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        108⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        109⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        110⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        111⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        112⤵
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        113⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        114⤵
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        115⤵
        Checks computer location settings
        
        PID:4912
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        116⤵
        Adds Run key to start application
        
        PID:4320
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        117⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        118⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:1624
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        119⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        120⤵
        Adds Run key to start application
        
        PID:4764
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        121⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        122⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1648
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        123⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        124⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        125⤵
        Drops file in Drivers directory
        
        PID:5080
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        126⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        127⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        128⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2792
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        129⤵
        Checks computer location settings
        
        PID:5028
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        130⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        131⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        132⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        133⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        134⤵
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        135⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        136⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        137⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        138⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        139⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        140⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:4808
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        141⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        142⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:4544
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        143⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        144⤵
        Checks computer location settings
        
        PID:4840
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        145⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        146⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        147⤵
        Adds Run key to start application
        
        PID:4948
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        148⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        149⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        150⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        151⤵
        Drops file in System32 directory
        
        PID:320
        
        C:\Windows\SysWOW64\mcvsvr.exe
        
        "C:\Windows\system32\mcvsvr.exe"
        152⤵
        Drops file in Drivers directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        152⤵
        
        PID:3996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        152⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        152⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        152⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        152⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        151⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        151⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        151⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        151⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        151⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        150⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        150⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        150⤵
        
        PID:116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        150⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        150⤵
        
        PID:348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        149⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        149⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        149⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        149⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        149⤵
        
        PID:4216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        148⤵
        
        PID:836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        148⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        148⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        148⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        148⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        147⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        147⤵
        
        PID:2928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        147⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        147⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        147⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        146⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        146⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        146⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        146⤵
        
        PID:528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        146⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        145⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        145⤵
        
        PID:4700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        145⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        145⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        145⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        144⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        144⤵
        
        PID:948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        144⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        144⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        144⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        143⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        143⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        143⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        143⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        143⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        142⤵
        
        PID:1676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        142⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        142⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        142⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        142⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        141⤵
        
        PID:528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        141⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        141⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        141⤵
        
        PID:4844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        141⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        140⤵
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        140⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        140⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        140⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        140⤵
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        139⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        139⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        139⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        139⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        139⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        138⤵
        
        PID:3560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        138⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        138⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        138⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        138⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        137⤵
        
        PID:4116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        138⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        137⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        137⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        137⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        137⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        136⤵
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        136⤵
        
        PID:3984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        136⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        136⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        136⤵
        
        PID:804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        135⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        135⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        135⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        135⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        135⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        134⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        134⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        134⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        134⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        134⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        133⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        133⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        133⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        133⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        133⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        132⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        132⤵
        
        PID:1676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        132⤵
        
        PID:4296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        132⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        132⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        131⤵
        
        PID:756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        131⤵
        
        PID:1200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        131⤵
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        131⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        131⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        130⤵
        
        PID:764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        130⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        130⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        130⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        130⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        129⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        129⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        129⤵
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        129⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        129⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        128⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        128⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        128⤵
        
        PID:1352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        128⤵
        
        PID:1016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        128⤵
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        127⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        127⤵
        
        PID:828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        127⤵
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        127⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        127⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        126⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        126⤵
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        126⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        126⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        126⤵
        
        PID:348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        125⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        125⤵
        
        PID:3740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        125⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        125⤵
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        125⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        124⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        124⤵
        
        PID:2684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        124⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        124⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        124⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        123⤵
        
        PID:3504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        123⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        123⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        123⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        123⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        122⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        122⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        122⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        122⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        122⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        121⤵
        
        PID:4452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        121⤵
        
        PID:2052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        121⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        121⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        121⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        120⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        120⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        120⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        120⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        120⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        119⤵
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        119⤵
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        119⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        119⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        119⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        118⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        118⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        118⤵
        
        PID:1876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        118⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        118⤵
        
        PID:1936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        117⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        117⤵
        
        PID:2496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        117⤵
        
        PID:4576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        117⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        117⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        116⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        116⤵
        
        PID:384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        116⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        116⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        116⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        115⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        115⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        115⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        115⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        115⤵
        
        PID:416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        114⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        114⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        114⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        114⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        114⤵
        
        PID:680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        113⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        113⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        113⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        113⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        113⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        112⤵
        
        PID:2164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        112⤵
        
        PID:116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        112⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        112⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        112⤵
        
        PID:2400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        111⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        111⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        111⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        111⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        111⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        110⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        110⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        110⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        110⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        110⤵
        
        PID:764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        109⤵
        
        PID:680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        109⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        109⤵
        
        PID:312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        109⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        109⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        108⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        108⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        108⤵
        
        PID:320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        108⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        108⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        107⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        107⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        107⤵
        
        PID:3704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        107⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        107⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        106⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        106⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        106⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        106⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        106⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        105⤵
        
        PID:3996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        105⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        105⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        105⤵
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        105⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        104⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        104⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        104⤵
        
        PID:4116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        104⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        104⤵
        
        PID:2680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        103⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        103⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        103⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        103⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        103⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        102⤵
        
        PID:1648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        102⤵
        
        PID:4708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        102⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        102⤵
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        102⤵
        
        PID:804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        101⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        101⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        101⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        101⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        101⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        100⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        100⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        100⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        100⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        100⤵
        
        PID:632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        99⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        99⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        99⤵
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        99⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        99⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        98⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        98⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        98⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        98⤵
        
        PID:860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        98⤵
        
        PID:636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        97⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        97⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        97⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        97⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        97⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        96⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        96⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        96⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        96⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        96⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        95⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        95⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        95⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        95⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        95⤵
        
        PID:4916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        94⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        94⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        94⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        94⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        94⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        93⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        93⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        93⤵
        
        PID:3944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        93⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        93⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        92⤵
        
        PID:1632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        92⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        92⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        92⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        92⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        91⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        91⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        91⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        91⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        91⤵
        
        PID:180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        90⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        90⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        90⤵
        
        PID:828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        90⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        90⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        89⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        89⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        89⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        89⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        89⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        88⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        88⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        88⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        88⤵
        
        PID:3564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        88⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        87⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        87⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        87⤵
        
        PID:4964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        87⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        87⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        86⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        86⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        86⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        86⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        86⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        85⤵
        
        PID:3456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        85⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        85⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        85⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        85⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        84⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        84⤵
        
        PID:2068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        84⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        84⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        84⤵
        
        PID:1356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        83⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        83⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        83⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        83⤵
        
        PID:1632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        83⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        82⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        82⤵
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        82⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        82⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        82⤵
        
        PID:2684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        81⤵
        
        PID:884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        81⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        81⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        81⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        81⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        80⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        80⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        80⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        80⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        80⤵
        
        PID:348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        79⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        79⤵
        
        PID:440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        79⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        79⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        79⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        78⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        78⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        78⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        78⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        78⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        77⤵
        
        PID:2584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        77⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        77⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        77⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        77⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        76⤵
        
        PID:4656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        76⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        76⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        76⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        76⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        75⤵
        
        PID:4836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        75⤵
        
        PID:4928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        75⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        75⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        75⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        74⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        74⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        74⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        74⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        74⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        73⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        73⤵
        
        PID:224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        73⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        73⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        73⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        72⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        72⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        72⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        72⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        72⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        71⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        71⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        71⤵
        
        PID:2380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        71⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        71⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        70⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        70⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        70⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        70⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        70⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        69⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        69⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        69⤵
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        69⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        69⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        68⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        68⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        68⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        68⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        68⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        67⤵
        
        PID:348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        67⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        67⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        66⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        66⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        66⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        66⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        66⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        65⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        65⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        65⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        64⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        64⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        64⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        64⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        64⤵
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        63⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        63⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        63⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        62⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        62⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        62⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        62⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        62⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        61⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        61⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        61⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        60⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        60⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        60⤵
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        60⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        60⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:4268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        59⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        59⤵
        
        PID:4324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        59⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        58⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        58⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        58⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        58⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        58⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        57⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        57⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        57⤵
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        56⤵
        
        PID:1408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        56⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        56⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        56⤵
        
        PID:4576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        56⤵
        
        PID:1896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:3984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        55⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        55⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        55⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        54⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        54⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        54⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        54⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        54⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        53⤵
        
        PID:180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        53⤵
        
        PID:2024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        53⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        52⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        52⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        52⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        52⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        52⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        51⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        51⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        51⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        50⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        50⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        50⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        50⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        50⤵
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        49⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        49⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        49⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        48⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        48⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        48⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        48⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        48⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        47⤵
        
        PID:4240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        47⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        47⤵
        
        PID:2980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        46⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        46⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        46⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        46⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        46⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:3296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        45⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        45⤵
        
        PID:4704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        45⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        44⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        44⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        44⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        44⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        44⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        43⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        43⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        43⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        42⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        42⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        42⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        42⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        42⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        41⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        41⤵
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        41⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        40⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        40⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        40⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        40⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        40⤵
        
        PID:1432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        39⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        39⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        39⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        38⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        38⤵
        
        PID:664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        38⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        38⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        38⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        37⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        37⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        37⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        36⤵
        
        PID:2612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        36⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        36⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        36⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        36⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        35⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        35⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        35⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        34⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        34⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        34⤵
        
        PID:916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        34⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        34⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        
        PID:2132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        33⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        33⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        33⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        32⤵
        
        PID:1408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        32⤵
        
        PID:760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        32⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        32⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        32⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        31⤵
        
        PID:932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        31⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        31⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        30⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        30⤵
        
        PID:1916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        30⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        30⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        30⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        29⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        29⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        29⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        28⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        28⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        28⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        28⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        28⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        27⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        27⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        27⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        26⤵
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        26⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        26⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        26⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        26⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:1700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        25⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        25⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        25⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        24⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        24⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        24⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        24⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        24⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        23⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        23⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        23⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        22⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        22⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        22⤵
        
        PID:860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        22⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        22⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:4496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        21⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        21⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        21⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        20⤵
        
        PID:884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        20⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        20⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        20⤵
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        20⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        19⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        19⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        19⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        18⤵
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        18⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        18⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        18⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        18⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        17⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        17⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        17⤵
        
        PID:828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        16⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        16⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        16⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        16⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        16⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        15⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        15⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        15⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        14⤵
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        14⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        14⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        14⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        14⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        13⤵
        
        PID:2928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        13⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        13⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        12⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        12⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        12⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        12⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        12⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        11⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        11⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        11⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        10⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        10⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        10⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        10⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        10⤵
        
        PID:440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        9⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        9⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        9⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        8⤵
        
        PID:3928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        8⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        8⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        8⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        8⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        7⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        7⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        7⤵
        
        PID:1700
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        6⤵
        
        PID:2148
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        6⤵
        
        PID:3636
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        6⤵
        
        PID:4324
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        6⤵
        
        PID:4012
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        6⤵
        
        PID:2016
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:3708
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        5⤵
        
        PID:1272
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        5⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
        5⤵
        
        PID:3896
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:3928
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:3988
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
      4⤵
      PID:528
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\mcvsvr.exe > nul
    3⤵
    PID:2472
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:4684
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:4784
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:2428
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:3052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\401204~1.EXE > nul
  2⤵
  PID:4896

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mcvsvr.exe

Filesize
149KB

MD5
4012045460206ff1153ee15c957874e5

SHA1
e5ce8eb6ffd88418e52e9ba6c781939dc6760838

SHA256
5facb6ab81515930978b8aca1a70ff2c9a899b82b078f0a56108a64a37ea58e7

SHA512
18d28132d6a4017b260d9e6b6d2a2f22488eb767e577763fcbaa245b3cb748a8711ef32488584bf12fabf91c51b5094aea3ea8090fc6582718e878001420245a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
11KB

MD5
f09964b9e0560deb4a211fcdf11ff155

SHA1
35106780792cfd2964ded2abe62d68134ed53f4b

SHA256
d85f05042c26521acfe39770e4ac07b59504f59a3ab4483b025fbb6f58c4c712

SHA512
1467cac9fb5dfa6c5c3333f742548209e2611dfce3ea27ffc0d19ad526204a6ed3504d26e2fc430b45834e612157b9147af1d63996ee99c34d4f52299b68489a

Download Submit
memory/508-274-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/508-270-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/756-38-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/756-47-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/756-320-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1040-325-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1040-329-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1120-199-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1200-72-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1200-66-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1232-108-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1232-114-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1416-94-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1416-100-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1432-174-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1432-168-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1732-257-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1776-248-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2052-269-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2232-253-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2232-249-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2236-186-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2376-231-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2484-155-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2484-161-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2588-294-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2588-290-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2636-342-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2664-280-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2664-284-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2676-184-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2676-190-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2732-213-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2732-209-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2928-214-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2928-218-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/2984-235-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3040-45-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3040-53-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3132-73-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3132-79-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3164-348-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3244-261-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3244-80-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3244-86-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3252-239-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3376-343-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3376-347-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3500-324-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3500-208-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3544-127-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3568-289-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3568-285-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3708-330-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3708-334-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3708-244-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3708-240-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3896-181-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3896-175-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3908-107-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/3908-101-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4004-227-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4004-223-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4084-65-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4240-311-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4240-307-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4392-59-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4392-297-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4432-147-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4520-312-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4520-316-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4704-222-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4708-275-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4708-279-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4728-204-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4728-200-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4796-167-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4796-162-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4800-302-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4808-306-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4824-195-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4824-191-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4840-135-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4840-141-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4928-262-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/4944-338-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/5028-87-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/5028-93-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/5044-2-0x0000000000041000-0x0000000000061000-memory.dmp

Filesize
128KB

Download
memory/5044-40-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/5044-0-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/5044-1-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/5064-128-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/5064-134-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/5100-148-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/5100-154-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/5112-115-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/5112-121-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads