aeecf05ef9b20d0ba0ed0fed299d5c07161e4d35daab807a714372da90cee5db

Analysis

max time kernel
45s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea765260c975618896c278e32ca46a18_JaffaCakes118.exe
Size

45KB
MD5

ea765260c975618896c278e32ca46a18
SHA1

5b57e2a51b208253c9c9c1634e08ed55995dafdc
SHA256

aeecf05ef9b20d0ba0ed0fed299d5c07161e4d35daab807a714372da90cee5db
SHA512

5b94aae419f88379fd2029292e7643cd558f897cf552cf5e9c8a2d7f0f8cb6b77b91f2e750447e99e09eb1b03b2d858653d8e3f4985b73f1762fcbf272dda2ed
SSDEEP

768:+DI8ys6q0TwnbyqVcxwjygB2dQ0t95h/EkkVuawz+ytXAKhhu+Bp:+Dk1zwb83gB2qsZkAVJhNp

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	windowsmsnlive.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	windowsmsnlive.exe

Executes dropped EXE 64 IoCs

pid	Process
1576	windowsmsnlive.exe
2360	windowsmsnlive.exe
3264	windowsmsnlive.exe
4692	windowsmsnlive.exe
1912	windowsmsnlive.exe
4460	windowsmsnlive.exe
4976	windowsmsnlive.exe
1076	windowsmsnlive.exe
4148	windowsmsnlive.exe
2056	windowsmsnlive.exe
3912	windowsmsnlive.exe
3836	windowsmsnlive.exe
2084	windowsmsnlive.exe
4584	windowsmsnlive.exe
4072	windowsmsnlive.exe
1512	windowsmsnlive.exe
3644	windowsmsnlive.exe
3652	windowsmsnlive.exe
3240	windowsmsnlive.exe
4412	windowsmsnlive.exe
3056	windowsmsnlive.exe
1424	windowsmsnlive.exe
392	windowsmsnlive.exe
3040	windowsmsnlive.exe
1296	windowsmsnlive.exe
732	windowsmsnlive.exe
1764	windowsmsnlive.exe
4984	windowsmsnlive.exe
1448	windowsmsnlive.exe
3496	windowsmsnlive.exe
3664	windowsmsnlive.exe
4640	windowsmsnlive.exe
4456	windowsmsnlive.exe
1296	windowsmsnlive.exe
436	windowsmsnlive.exe
716	windowsmsnlive.exe
3396	windowsmsnlive.exe
1168	windowsmsnlive.exe
3000	windowsmsnlive.exe
2376	windowsmsnlive.exe
3668	windowsmsnlive.exe
1892	windowsmsnlive.exe
824	windowsmsnlive.exe
1920	windowsmsnlive.exe
2824	windowsmsnlive.exe
3236	windowsmsnlive.exe
4352	windowsmsnlive.exe
2468	windowsmsnlive.exe
2072	windowsmsnlive.exe
3724	windowsmsnlive.exe
4736	windowsmsnlive.exe
1716	windowsmsnlive.exe
3568	windowsmsnlive.exe
1220	windowsmsnlive.exe
4672	windowsmsnlive.exe
4972	windowsmsnlive.exe
1252	windowsmsnlive.exe
4048	windowsmsnlive.exe
624	windowsmsnlive.exe
5076	windowsmsnlive.exe
3376	windowsmsnlive.exe
2164	windowsmsnlive.exe
5048	windowsmsnlive.exe
1680	windowsmsnlive.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe"	windowsmsnlive.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File opened for modification	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe
File created	C:\Windows\SysWOW64\windowsmsnlive.exe	windowsmsnlive.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3912 set thread context of 1496	3912	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	81
PID 1576 set thread context of 2360	1576	windowsmsnlive.exe	92
PID 3264 set thread context of 4692	3264	windowsmsnlive.exe	104
PID 1912 set thread context of 4460	1912	windowsmsnlive.exe	114
PID 4976 set thread context of 1076	4976	windowsmsnlive.exe	126
PID 4148 set thread context of 2056	4148	windowsmsnlive.exe	140
PID 3912 set thread context of 3836	3912	windowsmsnlive.exe	154
PID 2084 set thread context of 4584	2084	windowsmsnlive.exe	165
PID 4072 set thread context of 1512	4072	windowsmsnlive.exe	178
PID 3644 set thread context of 3652	3644	windowsmsnlive.exe	190
PID 3240 set thread context of 4412	3240	windowsmsnlive.exe	202
PID 3056 set thread context of 1424	3056	windowsmsnlive.exe	502
PID 392 set thread context of 3040	392	windowsmsnlive.exe	226
PID 1296 set thread context of 732	1296	windowsmsnlive.exe	239
PID 1764 set thread context of 4984	1764	windowsmsnlive.exe	247
PID 1448 set thread context of 3496	1448	windowsmsnlive.exe	264
PID 3664 set thread context of 4640	3664	windowsmsnlive.exe	276
PID 4456 set thread context of 1296	4456	windowsmsnlive.exe	288
PID 436 set thread context of 716	436	windowsmsnlive.exe	771
PID 3396 set thread context of 1168	3396	windowsmsnlive.exe	313
PID 3000 set thread context of 2376	3000	windowsmsnlive.exe	322
PID 3668 set thread context of 1892	3668	windowsmsnlive.exe	337
PID 824 set thread context of 1920	824	windowsmsnlive.exe	964
PID 2824 set thread context of 3236	2824	windowsmsnlive.exe	361
PID 4352 set thread context of 2468	4352	windowsmsnlive.exe	810
PID 2072 set thread context of 3724	2072	windowsmsnlive.exe	385
PID 4736 set thread context of 1716	4736	windowsmsnlive.exe	1305
PID 3568 set thread context of 1220	3568	windowsmsnlive.exe	411
PID 4672 set thread context of 4972	4672	windowsmsnlive.exe	420
PID 1252 set thread context of 4048	1252	windowsmsnlive.exe	586
PID 624 set thread context of 5076	624	windowsmsnlive.exe	447
PID 3376 set thread context of 2164	3376	windowsmsnlive.exe	455
PID 5048 set thread context of 1680	5048	windowsmsnlive.exe	470
PID 2684 set thread context of 4312	2684	windowsmsnlive.exe	483
PID 4608 set thread context of 3664	4608	windowsmsnlive.exe	493
PID 4556 set thread context of 4072	4556	windowsmsnlive.exe	1292
PID 4588 set thread context of 1264	4588	windowsmsnlive.exe	518
PID 1920 set thread context of 3320	1920	windowsmsnlive.exe	531
PID 2196 set thread context of 3280	2196	windowsmsnlive.exe	541
PID 3088 set thread context of 3632	3088	windowsmsnlive.exe	1676
PID 2172 set thread context of 5056	2172	windowsmsnlive.exe	1702
PID 5048 set thread context of 1480	5048	windowsmsnlive.exe	579
PID 4424 set thread context of 3948	4424	windowsmsnlive.exe	758
PID 4716 set thread context of 4024	4716	windowsmsnlive.exe	1915
PID 4712 set thread context of 4696	4712	windowsmsnlive.exe	612
PID 1340 set thread context of 1716	1340	windowsmsnlive.exe	1769
PID 1764 set thread context of 2032	1764	windowsmsnlive.exe	1970
PID 3912 set thread context of 4124	3912	windowsmsnlive.exe	651
PID 1132 set thread context of 4084	1132	windowsmsnlive.exe	1954
PID 4656 set thread context of 4456	4656	windowsmsnlive.exe	675
PID 2664 set thread context of 2476	2664	windowsmsnlive.exe	687
PID 212 set thread context of 4968	212	windowsmsnlive.exe	699
PID 4436 set thread context of 2764	4436	windowsmsnlive.exe	711
PID 1776 set thread context of 4548	1776	windowsmsnlive.exe	720
PID 1516 set thread context of 5116	1516	windowsmsnlive.exe	1806
PID 2028 set thread context of 4168	2028	windowsmsnlive.exe	2319
PID 324 set thread context of 3948	324	windowsmsnlive.exe	758
PID 1888 set thread context of 4580	1888	windowsmsnlive.exe	770
PID 3660 set thread context of 3104	3660	windowsmsnlive.exe	2419
PID 4236 set thread context of 1292	4236	windowsmsnlive.exe	2463
PID 3972 set thread context of 3672	3972	windowsmsnlive.exe	2429
PID 4648 set thread context of 2772	4648	windowsmsnlive.exe	1157
PID 3208 set thread context of 3328	3208	windowsmsnlive.exe	831
PID 4336 set thread context of 4672	4336	windowsmsnlive.exe	1349

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsmsnlive.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowsmsnlive.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2360	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4692	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4460	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1076	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	2056	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3836	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4584	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1512	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3652	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4412	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1424	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3040	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	732	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4984	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3496	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4640	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1296	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	716	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1168	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	2376	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1892	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1920	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3236	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	2468	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3724	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1716	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1220	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4972	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4048	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	5076	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	2164	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1680	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4312	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3664	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4072	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1264	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3320	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3280	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3632	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	5056	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1480	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3948	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4024	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4696	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1716	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	2032	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4124	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4084	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4456	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	2476	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4968	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	2764	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4548	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	5116	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4168	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3948	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4580	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3104	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	1292	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3672	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	2772	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	3328	windowsmsnlive.exe
Token: SeIncBasePriorityPrivilege	4672	windowsmsnlive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 1496	3912	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	81
PID 3912 wrote to memory of 1496	3912	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	81
PID 3912 wrote to memory of 1496	3912	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	81
PID 3912 wrote to memory of 1496	3912	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	81
PID 3912 wrote to memory of 1496	3912	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	81
PID 3912 wrote to memory of 1496	3912	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	81
PID 3912 wrote to memory of 1496	3912	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	81
PID 3912 wrote to memory of 1496	3912	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	81
PID 3912 wrote to memory of 1496	3912	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	81
PID 1496 wrote to memory of 1576	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	82
PID 1496 wrote to memory of 1576	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	82
PID 1496 wrote to memory of 1576	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	82
PID 1496 wrote to memory of 2084	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	83
PID 1496 wrote to memory of 2084	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	83
PID 1496 wrote to memory of 2084	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	83
PID 1496 wrote to memory of 1580	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	84
PID 1496 wrote to memory of 1580	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	84
PID 1496 wrote to memory of 1580	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	84
PID 1496 wrote to memory of 5036	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	85
PID 1496 wrote to memory of 5036	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	85
PID 1496 wrote to memory of 5036	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	85
PID 1496 wrote to memory of 1372	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	86
PID 1496 wrote to memory of 1372	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	86
PID 1496 wrote to memory of 1372	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	86
PID 1496 wrote to memory of 1668	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	88
PID 1496 wrote to memory of 1668	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	88
PID 1496 wrote to memory of 1668	1496	ea765260c975618896c278e32ca46a18_JaffaCakes118.exe	88
PID 1576 wrote to memory of 2360	1576	windowsmsnlive.exe	92
PID 1576 wrote to memory of 2360	1576	windowsmsnlive.exe	92
PID 1576 wrote to memory of 2360	1576	windowsmsnlive.exe	92
PID 1576 wrote to memory of 2360	1576	windowsmsnlive.exe	92
PID 1576 wrote to memory of 2360	1576	windowsmsnlive.exe	92
PID 1576 wrote to memory of 2360	1576	windowsmsnlive.exe	92
PID 1576 wrote to memory of 2360	1576	windowsmsnlive.exe	92
PID 1576 wrote to memory of 2360	1576	windowsmsnlive.exe	92
PID 1576 wrote to memory of 2360	1576	windowsmsnlive.exe	92
PID 2360 wrote to memory of 3264	2360	windowsmsnlive.exe	94
PID 2360 wrote to memory of 3264	2360	windowsmsnlive.exe	94
PID 2360 wrote to memory of 3264	2360	windowsmsnlive.exe	94
PID 2360 wrote to memory of 4548	2360	windowsmsnlive.exe	95
PID 2360 wrote to memory of 4548	2360	windowsmsnlive.exe	95
PID 2360 wrote to memory of 4548	2360	windowsmsnlive.exe	95
PID 2360 wrote to memory of 3752	2360	windowsmsnlive.exe	96
PID 2360 wrote to memory of 3752	2360	windowsmsnlive.exe	96
PID 2360 wrote to memory of 3752	2360	windowsmsnlive.exe	96
PID 2360 wrote to memory of 1536	2360	windowsmsnlive.exe	97
PID 2360 wrote to memory of 1536	2360	windowsmsnlive.exe	97
PID 2360 wrote to memory of 1536	2360	windowsmsnlive.exe	97
PID 2360 wrote to memory of 2708	2360	windowsmsnlive.exe	98
PID 2360 wrote to memory of 2708	2360	windowsmsnlive.exe	98
PID 2360 wrote to memory of 2708	2360	windowsmsnlive.exe	98
PID 2360 wrote to memory of 952	2360	windowsmsnlive.exe	99
PID 2360 wrote to memory of 952	2360	windowsmsnlive.exe	99
PID 2360 wrote to memory of 952	2360	windowsmsnlive.exe	99
PID 3264 wrote to memory of 4692	3264	windowsmsnlive.exe	104
PID 3264 wrote to memory of 4692	3264	windowsmsnlive.exe	104
PID 3264 wrote to memory of 4692	3264	windowsmsnlive.exe	104
PID 3264 wrote to memory of 4692	3264	windowsmsnlive.exe	104
PID 3264 wrote to memory of 4692	3264	windowsmsnlive.exe	104
PID 3264 wrote to memory of 4692	3264	windowsmsnlive.exe	104
PID 3264 wrote to memory of 4692	3264	windowsmsnlive.exe	104
PID 3264 wrote to memory of 4692	3264	windowsmsnlive.exe	104
PID 3264 wrote to memory of 4692	3264	windowsmsnlive.exe	104
PID 4692 wrote to memory of 1912	4692	windowsmsnlive.exe	106

C:\Users\Admin\AppData\Local\Temp\ea765260c975618896c278e32ca46a18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea765260c975618896c278e32ca46a18_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\ea765260c975618896c278e32ca46a18_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea765260c975618896c278e32ca46a18_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\windowsmsnlive.exe
    "C:\Windows\system32\windowsmsnlive.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\windowsmsnlive.exe
      "C:\Windows\SysWOW64\windowsmsnlive.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3264
      - C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1912
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4976
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        10⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3912
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        14⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2084
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4072
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        18⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3644
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        20⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3056
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:392
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1296
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        28⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:732
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1764
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        30⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1448
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3664
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        34⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4456
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        36⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:436
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3396
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        40⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3000
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3668
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        44⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:824
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        46⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2824
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3236
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4352
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2072
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4736
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3568
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4672
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        58⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1252
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:624
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        62⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3376
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        64⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5048
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:2684
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        68⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:4608
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        70⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:4556
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        72⤵
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:4588
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        74⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:1920
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        76⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:2196
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        78⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:3088
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        80⤵
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:2172
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        82⤵
        Drops file in Drivers directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:5048
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        84⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:4424
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        86⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:4716
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        88⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:4712
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        90⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:1340
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        92⤵
        Drops file in Drivers directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:1764
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        94⤵
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:3912
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        96⤵
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:1132
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        98⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:4656
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        100⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        101⤵
        Suspicious use of SetThreadContext
        
        PID:2664
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        102⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:212
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        104⤵
        Drops file in Drivers directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:4436
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        106⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:1776
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        108⤵
        Drops file in Drivers directory
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:1516
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        110⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        111⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        112⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:324
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        114⤵
        Drops file in Drivers directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:1888
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        116⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:3660
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        118⤵
        Drops file in Drivers directory
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:4236
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        120⤵
        Drops file in Drivers directory
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:3972
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        122⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:4648
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        124⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        125⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        126⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:4336
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        128⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        129⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        130⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        131⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        132⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        133⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        134⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        136⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        137⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        138⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        139⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        140⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        141⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        142⤵
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        143⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        144⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        145⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        146⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        148⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        149⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        150⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        151⤵
        
        PID:680
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        152⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        153⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        154⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4104
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        155⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        156⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        158⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        159⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        160⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        161⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        162⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        163⤵
        
        PID:912
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        164⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        165⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        166⤵
        Drops file in Drivers directory
        
        PID:2072
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        167⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        168⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        
        PID:2800
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        169⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        170⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        171⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        172⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        173⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        174⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2392
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        176⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        177⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        178⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:3268
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        179⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        180⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        181⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        182⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        183⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        184⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        185⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        186⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        187⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        188⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        
        PID:4424
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        189⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        190⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1288
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        191⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        192⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        193⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        194⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        195⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        196⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        197⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        198⤵
        Checks computer location settings
        
        PID:4424
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        199⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        200⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        201⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        202⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        203⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        204⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1176
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        205⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        206⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        
        PID:3220
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        208⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        209⤵
        
        PID:228
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        210⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        212⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        213⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        214⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        215⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        216⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        217⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        218⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        219⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        220⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        221⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        222⤵
        Drops file in Drivers directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        223⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        224⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        225⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        226⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1112
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        227⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        228⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        229⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        230⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        231⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        232⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        233⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        234⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        235⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        236⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        237⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        238⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        239⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        240⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        241⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        242⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        243⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        244⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        245⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        246⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        247⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        248⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        249⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        250⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        251⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        252⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        253⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        254⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        255⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        256⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        257⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        258⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        259⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        260⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        261⤵
        
        PID:244
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        262⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        263⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        264⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        265⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        266⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        267⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        268⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        269⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        270⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        271⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        272⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        273⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\SysWOW64\windowsmsnlive.exe"
        274⤵
        
        PID:428
        
        C:\Windows\SysWOW64\windowsmsnlive.exe
        
        "C:\Windows\system32\windowsmsnlive.exe"
        275⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        273⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        273⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        273⤵
        
        PID:3760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        274⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        273⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        273⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        271⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        271⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        271⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        271⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        271⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        269⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        269⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        269⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        269⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        270⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        269⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        267⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        267⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        267⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        267⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        267⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        265⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        265⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        265⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        265⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        265⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        263⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        263⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        263⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        263⤵
        
        PID:3604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        264⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        263⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        261⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        261⤵
        
        PID:3812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        262⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        261⤵
        
        PID:1204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        262⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        261⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        261⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        259⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        259⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        259⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        259⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        259⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        257⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        257⤵
        
        PID:1104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        258⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        257⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        257⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        257⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        255⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        255⤵
        
        PID:736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        256⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        255⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        255⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        255⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        253⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        253⤵
        
        PID:992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        253⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        253⤵
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        254⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        253⤵
        
        PID:1200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        254⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        251⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        251⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        251⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        251⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        251⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        249⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        249⤵
        
        PID:4036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        250⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        249⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        249⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        249⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        247⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        247⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        247⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        247⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        247⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        245⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        245⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        245⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        245⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        245⤵
        
        PID:736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        243⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        243⤵
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        244⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        243⤵
        
        PID:2824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        244⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        243⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        243⤵
        
        PID:3000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        244⤵
        
        PID:912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        241⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        241⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        241⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        241⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        241⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        239⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        239⤵
        
        PID:764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        239⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        239⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        239⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        237⤵
        
        PID:4652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        238⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        237⤵
        
        PID:2392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        238⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        237⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        237⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        237⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        235⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        235⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        235⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        235⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        235⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        233⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        233⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        233⤵
        
        PID:908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        233⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        233⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        231⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        231⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        231⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        231⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        231⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        229⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        229⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        229⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        229⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        230⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        229⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        227⤵
        
        PID:392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        228⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        227⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        227⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        227⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        225⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        225⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        225⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        225⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        225⤵
        
        PID:1920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        226⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        223⤵
        
        PID:872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        223⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        223⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        223⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        221⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        221⤵
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        222⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        221⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        221⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        221⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        219⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        219⤵
        
        PID:232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        219⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        219⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        220⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        217⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        217⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        217⤵
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        218⤵
        
        PID:224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        217⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        217⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        215⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        215⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        215⤵
        
        PID:4284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        216⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        215⤵
        
        PID:468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        216⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        213⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        213⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        213⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        213⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        211⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        211⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        211⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        211⤵
        
        PID:680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        209⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        209⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        209⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        209⤵
        
        PID:968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        207⤵
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        208⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        207⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        207⤵
        
        PID:212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        207⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        207⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        205⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        205⤵
        
        PID:1716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        206⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        205⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        205⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        205⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        203⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        203⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        203⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        203⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        203⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        201⤵
        
        PID:324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        201⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        201⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        199⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        199⤵
        
        PID:2708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        199⤵
        
        PID:920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        199⤵
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        199⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        197⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        197⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        197⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        197⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        197⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        195⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        195⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        195⤵
        
        PID:4116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        195⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        193⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        193⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        193⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        193⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        193⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        191⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        191⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        191⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        191⤵
        
        PID:324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        189⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        189⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        189⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        189⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        189⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        187⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        187⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        187⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        187⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        187⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        185⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        185⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        185⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        185⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        185⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        183⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        183⤵
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        184⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        183⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        183⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        181⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        181⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        181⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        181⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        181⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        179⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        179⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        179⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        179⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        177⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        177⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        177⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        177⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        177⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        175⤵
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        175⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        175⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        175⤵
        
        PID:4536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        175⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        173⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        173⤵
        
        PID:860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        173⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        173⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        173⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        171⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        171⤵
        
        PID:736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        171⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        171⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        169⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        169⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        169⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        169⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        169⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        167⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        167⤵
        
        PID:716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        167⤵
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        167⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        165⤵
        
        PID:1292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        166⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        165⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        165⤵
        
        PID:628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        165⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        165⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        163⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        163⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        163⤵
        
        PID:4472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        163⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        163⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        161⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        161⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        161⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        161⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        159⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        159⤵
        
        PID:392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        159⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        159⤵
        
        PID:3544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        159⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        157⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        157⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        157⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        157⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        155⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        155⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        155⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        155⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        155⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        153⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        153⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        153⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        153⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        153⤵
        
        PID:912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        151⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        151⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        151⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        151⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        149⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        149⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        149⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        149⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        147⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        147⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        147⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        147⤵
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        145⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        145⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        145⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        145⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        145⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        143⤵
        
        PID:468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        143⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        143⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        143⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        143⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        141⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        141⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        141⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        141⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        141⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        139⤵
        
        PID:788
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        139⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        139⤵
        
        PID:3908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        139⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        139⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        137⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        137⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        137⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        137⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        135⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        135⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        135⤵
        
        PID:4928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        135⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        135⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        133⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        133⤵
        
        PID:208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        133⤵
        
        PID:1580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        133⤵
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        131⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        131⤵
        
        PID:392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        131⤵
        
        PID:968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        131⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        131⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        129⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        129⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        129⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        129⤵
        
        PID:4980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        129⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        127⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        127⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        127⤵
        
        PID:4024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        127⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        127⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        125⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        125⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        125⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        123⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        123⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        123⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        123⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        123⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        121⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        121⤵
        
        PID:220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        121⤵
        
        PID:1748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        121⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        121⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        119⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        119⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        119⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        119⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        119⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        117⤵
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        117⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        117⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        117⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        117⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        115⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        115⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        115⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        115⤵
        
        PID:3260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        115⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        113⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        113⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        113⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        113⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        113⤵
        
        PID:468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        111⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        111⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        111⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        111⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        111⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        109⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        109⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        109⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        109⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        107⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        107⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        107⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        107⤵
        
        PID:1804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        105⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        105⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        105⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        105⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        105⤵
        
        PID:1592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        103⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        103⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        103⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        103⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        101⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        101⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        101⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        101⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        101⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        99⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        99⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        99⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        99⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        99⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        97⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        97⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        97⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        97⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        97⤵
        
        PID:4464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        95⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        95⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        95⤵
        
        PID:628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        95⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        95⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        93⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        93⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        93⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        93⤵
        
        PID:468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        93⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        91⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        91⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        91⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        91⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        89⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        89⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        89⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        89⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        87⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        87⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        87⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        87⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        87⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        85⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        85⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        85⤵
        
        PID:2076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        85⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        83⤵
        
        PID:464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        83⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        83⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        83⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        81⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        81⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        81⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        81⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        79⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        79⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        79⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        79⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        79⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        77⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        77⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        77⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        77⤵
        
        PID:1888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        77⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        75⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        75⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        75⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        75⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        75⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        73⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        73⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        73⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        73⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        73⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        71⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        71⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        71⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        71⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        69⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        69⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        69⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        69⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        69⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:1764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        67⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        67⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        67⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        65⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        65⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        63⤵
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        63⤵
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        63⤵
        
        PID:224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        61⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        61⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        59⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        59⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        57⤵
        
        PID:668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        57⤵
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        57⤵
        
        PID:1432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:2040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        55⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        55⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        55⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        53⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        53⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        53⤵
        
        PID:1680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        51⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        51⤵
        
        PID:3784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        51⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        49⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        49⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        49⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        47⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        47⤵
        
        PID:3320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        47⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        45⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        45⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        45⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        43⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        43⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        41⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        41⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        39⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        39⤵
        
        PID:1748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        39⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        37⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        37⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        37⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        35⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        35⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        35⤵
        
        PID:464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        33⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        33⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        33⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        31⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        31⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        31⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        29⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        29⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        29⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        27⤵
        
        PID:824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        27⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        27⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:1264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        25⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        25⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        25⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        23⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        23⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        23⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        21⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        21⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        21⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        19⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        19⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        19⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        17⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        17⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        17⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        15⤵
        
        PID:324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        15⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        13⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        13⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        13⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        11⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        11⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        11⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        9⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        9⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        9⤵
        
        PID:736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        7⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        7⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        7⤵
        
        PID:3104
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:4548
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:3752
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        5⤵
        
        PID:1536
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        5⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WINDOW~1.EXE > nul
        5⤵
        
        PID:952
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EA7652~1.EXE > nul
    3⤵
    PID:1668

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\windowsmsnlive.exe

Filesize
45KB

MD5
ea765260c975618896c278e32ca46a18

SHA1
5b57e2a51b208253c9c9c1634e08ed55995dafdc

SHA256
aeecf05ef9b20d0ba0ed0fed299d5c07161e4d35daab807a714372da90cee5db

SHA512
5b94aae419f88379fd2029292e7643cd558f897cf552cf5e9c8a2d7f0f8cb6b77b91f2e750447e99e09eb1b03b2d858653d8e3f4985b73f1762fcbf272dda2ed

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
c10a0afe2aa4e95d36b1e568d94a7248

SHA1
fbbdceca4f75d9cc8a68e3310fdb97e82ba01ba3

SHA256
c99f7b22b4c55d236c89737f67de4d9fe633b2402eba8721736829b0bc2173c3

SHA512
da5aca33751b7c02182003af0f5a0545c3a014cc65e67f3f4967170b26dc738011561b2b56e0286535a0da7ea4464c2035486564f3b7e00941268e892dcb74e4

Download Submit
memory/1496-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1496-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1496-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1496-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1496-6-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1576-50-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1912-76-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2360-49-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3264-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3912-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3912-114-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4148-102-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4692-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4976-89-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads