## sideload-nissrv-zip-chm

This scenario uses Powershell to locate own .ZIP file in user downloads (across %USERPROFILE%), then it unpacks it to %LOCALAPPDATA% and executes our malware..

Double click on HTML file to download **zip** and follow infection chain.

Successful infection will result in spawning a calc from mpclient.dll side-loaded into NisSrv.exe (triggered by CHM).

To become successfully infected, ZIP named Report.zip needs to be present somewhere in %USERPROFILE% .