a9524f30aaff503ab58af21556160282929edb8f72b81efc979dd8510f6129c2

Analysis

max time kernel
56s
max time network
19s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a7c1927f515eeec926a21d5e91e12da.exe
Size

50KB
MD5

1a7c1927f515eeec926a21d5e91e12da
SHA1

3c5c6802372c32477ff5c11c1e59979f50752730
SHA256

a9524f30aaff503ab58af21556160282929edb8f72b81efc979dd8510f6129c2
SHA512

d0581ced6aad504a9feff58e27c9a465471d60aa531afcbde0a3bbaf04d27c2f045037577dcae6f5c2b2f263b891be5c1e89d838147101974a7e02a44e0ec853
SSDEEP

768:BHReXvU8CVG6qDfQlPdXsz56b0Rw4zXn4hie7UXrM0gCs2H4rdxO2+:BHReXoVXfj6cushlkPZ2dU2+

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Disables RegEdit via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	1a7c1927f515eeec926a21d5e91e12da.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	1a7c1927f515eeec926a21d5e91e12da.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 24 IoCs

pid	Process
2588	symrestore.exe
2608	symrestore.exe
2780	symrestore.exe
1640	symrestore.exe
992	symrestore.exe
1240	symrestore.exe
948	CMD.exe
1392	symrestore.exe
2912	conhost.exe
1652	symrestore.exe
1300	symrestore.exe
2584	symrestore.exe
2588	symrestore.exe
688	symrestore.exe
740	symrestore.exe
1376	symrestore.exe
1480	conhost.exe
440	symrestore.exe
924	CMD.exe
552	symrestore.exe
1296	symrestore.exe
2684	symrestore.exe
2932	symrestore.exe
2580	symrestore.exe

Loads dropped DLL 24 IoCs

pid	Process
2232	1a7c1927f515eeec926a21d5e91e12da.exe
2232	1a7c1927f515eeec926a21d5e91e12da.exe
2608	symrestore.exe
2608	symrestore.exe
1640	symrestore.exe
1640	symrestore.exe
1240	symrestore.exe
1240	symrestore.exe
1392	symrestore.exe
1392	symrestore.exe
1652	symrestore.exe
1652	symrestore.exe
2584	symrestore.exe
2584	symrestore.exe
688	symrestore.exe
688	symrestore.exe
1376	symrestore.exe
1376	symrestore.exe
440	symrestore.exe
440	symrestore.exe
552	symrestore.exe
552	symrestore.exe
2684	symrestore.exe
2684	symrestore.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-2-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/2232-4-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/2232-6-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/2232-12-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/2232-14-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/2232-16-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/1392-117-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/1652-140-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/2584-166-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/688-187-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/744-431-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/2912-714-0x0000000010000000-0x0000000010014000-memory.dmp	upx

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	1a7c1927f515eeec926a21d5e91e12da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	1a7c1927f515eeec926a21d5e91e12da.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	1a7c1927f515eeec926a21d5e91e12da.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2232	2172	1a7c1927f515eeec926a21d5e91e12da.exe	28
PID 2588 set thread context of 2608	2588	symrestore.exe	30
PID 2780 set thread context of 1640	2780	symrestore.exe	42
PID 992 set thread context of 1240	992	symrestore.exe	64
PID 948 set thread context of 1392	948	CMD.exe	76
PID 2912 set thread context of 1652	2912	conhost.exe	88
PID 1300 set thread context of 2584	1300	symrestore.exe	102
PID 2588 set thread context of 688	2588	symrestore.exe	113
PID 740 set thread context of 1376	740	symrestore.exe	125
PID 1480 set thread context of 440	1480	conhost.exe	137
PID 924 set thread context of 552	924	CMD.exe	149
PID 1296 set thread context of 2684	1296	symrestore.exe	161
PID 2932 set thread context of 2580	2932	symrestore.exe	174

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2232	1a7c1927f515eeec926a21d5e91e12da.exe
Token: SeIncBasePriorityPrivilege	2608	symrestore.exe
Token: SeIncBasePriorityPrivilege	1640	symrestore.exe
Token: SeIncBasePriorityPrivilege	1240	symrestore.exe
Token: SeIncBasePriorityPrivilege	1392	symrestore.exe
Token: SeIncBasePriorityPrivilege	1652	symrestore.exe
Token: SeIncBasePriorityPrivilege	2584	symrestore.exe
Token: SeIncBasePriorityPrivilege	688	symrestore.exe
Token: SeIncBasePriorityPrivilege	1376	symrestore.exe
Token: SeIncBasePriorityPrivilege	440	symrestore.exe
Token: SeIncBasePriorityPrivilege	552	symrestore.exe
Token: SeIncBasePriorityPrivilege	2684	symrestore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2232	2172	1a7c1927f515eeec926a21d5e91e12da.exe	28
PID 2172 wrote to memory of 2232	2172	1a7c1927f515eeec926a21d5e91e12da.exe	28
PID 2172 wrote to memory of 2232	2172	1a7c1927f515eeec926a21d5e91e12da.exe	28
PID 2172 wrote to memory of 2232	2172	1a7c1927f515eeec926a21d5e91e12da.exe	28
PID 2172 wrote to memory of 2232	2172	1a7c1927f515eeec926a21d5e91e12da.exe	28
PID 2172 wrote to memory of 2232	2172	1a7c1927f515eeec926a21d5e91e12da.exe	28
PID 2172 wrote to memory of 2232	2172	1a7c1927f515eeec926a21d5e91e12da.exe	28
PID 2172 wrote to memory of 2232	2172	1a7c1927f515eeec926a21d5e91e12da.exe	28
PID 2232 wrote to memory of 2588	2232	1a7c1927f515eeec926a21d5e91e12da.exe	29
PID 2232 wrote to memory of 2588	2232	1a7c1927f515eeec926a21d5e91e12da.exe	29
PID 2232 wrote to memory of 2588	2232	1a7c1927f515eeec926a21d5e91e12da.exe	29
PID 2232 wrote to memory of 2588	2232	1a7c1927f515eeec926a21d5e91e12da.exe	29
PID 2588 wrote to memory of 2608	2588	symrestore.exe	30
PID 2588 wrote to memory of 2608	2588	symrestore.exe	30
PID 2588 wrote to memory of 2608	2588	symrestore.exe	30
PID 2588 wrote to memory of 2608	2588	symrestore.exe	30
PID 2232 wrote to memory of 2560	2232	1a7c1927f515eeec926a21d5e91e12da.exe	31
PID 2232 wrote to memory of 2560	2232	1a7c1927f515eeec926a21d5e91e12da.exe	31
PID 2232 wrote to memory of 2560	2232	1a7c1927f515eeec926a21d5e91e12da.exe	31
PID 2232 wrote to memory of 2560	2232	1a7c1927f515eeec926a21d5e91e12da.exe	31
PID 2232 wrote to memory of 2556	2232	1a7c1927f515eeec926a21d5e91e12da.exe	32
PID 2232 wrote to memory of 2556	2232	1a7c1927f515eeec926a21d5e91e12da.exe	32
PID 2232 wrote to memory of 2556	2232	1a7c1927f515eeec926a21d5e91e12da.exe	32
PID 2232 wrote to memory of 2556	2232	1a7c1927f515eeec926a21d5e91e12da.exe	32
PID 2232 wrote to memory of 2580	2232	1a7c1927f515eeec926a21d5e91e12da.exe	37
PID 2232 wrote to memory of 2580	2232	1a7c1927f515eeec926a21d5e91e12da.exe	37
PID 2232 wrote to memory of 2580	2232	1a7c1927f515eeec926a21d5e91e12da.exe	37
PID 2232 wrote to memory of 2580	2232	1a7c1927f515eeec926a21d5e91e12da.exe	37
PID 2232 wrote to memory of 2616	2232	1a7c1927f515eeec926a21d5e91e12da.exe	34
PID 2232 wrote to memory of 2616	2232	1a7c1927f515eeec926a21d5e91e12da.exe	34
PID 2232 wrote to memory of 2616	2232	1a7c1927f515eeec926a21d5e91e12da.exe	34
PID 2232 wrote to memory of 2616	2232	1a7c1927f515eeec926a21d5e91e12da.exe	34
PID 2232 wrote to memory of 2632	2232	1a7c1927f515eeec926a21d5e91e12da.exe	33
PID 2232 wrote to memory of 2632	2232	1a7c1927f515eeec926a21d5e91e12da.exe	33
PID 2232 wrote to memory of 2632	2232	1a7c1927f515eeec926a21d5e91e12da.exe	33
PID 2232 wrote to memory of 2632	2232	1a7c1927f515eeec926a21d5e91e12da.exe	33
PID 2588 wrote to memory of 2608	2588	symrestore.exe	30
PID 2588 wrote to memory of 2608	2588	symrestore.exe	30
PID 2588 wrote to memory of 2608	2588	symrestore.exe	30
PID 2588 wrote to memory of 2608	2588	symrestore.exe	30
PID 2608 wrote to memory of 2780	2608	symrestore.exe	41
PID 2608 wrote to memory of 2780	2608	symrestore.exe	41
PID 2608 wrote to memory of 2780	2608	symrestore.exe	41
PID 2608 wrote to memory of 2780	2608	symrestore.exe	41
PID 2780 wrote to memory of 1640	2780	symrestore.exe	42
PID 2780 wrote to memory of 1640	2780	symrestore.exe	42
PID 2780 wrote to memory of 1640	2780	symrestore.exe	42
PID 2780 wrote to memory of 1640	2780	symrestore.exe	42
PID 2780 wrote to memory of 1640	2780	symrestore.exe	42
PID 2780 wrote to memory of 1640	2780	symrestore.exe	42
PID 2780 wrote to memory of 1640	2780	symrestore.exe	42
PID 2780 wrote to memory of 1640	2780	symrestore.exe	42
PID 2608 wrote to memory of 1824	2608	symrestore.exe	50
PID 2608 wrote to memory of 1824	2608	symrestore.exe	50
PID 2608 wrote to memory of 1824	2608	symrestore.exe	50
PID 2608 wrote to memory of 1824	2608	symrestore.exe	50
PID 2608 wrote to memory of 2024	2608	symrestore.exe	49
PID 2608 wrote to memory of 2024	2608	symrestore.exe	49
PID 2608 wrote to memory of 2024	2608	symrestore.exe	49
PID 2608 wrote to memory of 2024	2608	symrestore.exe	49
PID 2608 wrote to memory of 1492	2608	symrestore.exe	43
PID 2608 wrote to memory of 1492	2608	symrestore.exe	43
PID 2608 wrote to memory of 1492	2608	symrestore.exe	43
PID 2608 wrote to memory of 1492	2608	symrestore.exe	43

C:\Users\Admin\AppData\Local\Temp\1a7c1927f515eeec926a21d5e91e12da.exe
"C:\Users\Admin\AppData\Local\Temp\1a7c1927f515eeec926a21d5e91e12da.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\1a7c1927f515eeec926a21d5e91e12da.exe
  "C:\Users\Admin\AppData\Local\Temp\1a7c1927f515eeec926a21d5e91e12da.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\system32\symrestore.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\SysWOW64\symrestore.exe"
      4⤵
      Disables RegEdit via registry modification
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        6⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:992
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        8⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        9⤵
        
        PID:948
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        10⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        11⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        12⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        13⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        14⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2588
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        16⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:740
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        18⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        19⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        20⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        21⤵
        
        PID:924
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        22⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1296
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        24⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2932
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        27⤵
        
        PID:744
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        28⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        29⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        30⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        31⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        32⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        33⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        34⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        35⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        36⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        37⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        38⤵
        Suspicious use of SetThreadContext
        
        PID:1300
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        39⤵
        
        PID:704
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        40⤵
        
        PID:744
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        41⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        42⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        43⤵
        
        PID:824
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        44⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        45⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        46⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        47⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        48⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        49⤵
        
        PID:636
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        50⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        51⤵
        
        PID:848
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        52⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        53⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        54⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        55⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        56⤵
        
        PID:824
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        57⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        58⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        59⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        60⤵
        
        PID:908
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        61⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        62⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        63⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        64⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        65⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        66⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        67⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        68⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        69⤵
        
        PID:552
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        70⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        71⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        72⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        69⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        69⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        67⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        67⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        67⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        65⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        65⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        65⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        63⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        63⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        63⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        61⤵
        
        PID:336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        61⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        61⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        59⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        59⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        59⤵
        
        PID:868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        57⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        57⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        57⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        55⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        55⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        55⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        53⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        53⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        53⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        51⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        51⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        51⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        49⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        49⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        49⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        47⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        47⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        47⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        45⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        45⤵
        
        PID:976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        43⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        43⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        43⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        41⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        41⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        41⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        39⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        39⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        39⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        37⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        37⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        37⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        35⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        35⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        35⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        
        PID:672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        33⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        33⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        33⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        31⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        31⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        31⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        29⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        29⤵
        
        PID:620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        29⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        27⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        27⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        27⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        25⤵
        
        PID:328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        25⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        25⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        23⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        23⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        23⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        21⤵
        
        PID:892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        21⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        19⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        19⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        19⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        17⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        17⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        17⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        15⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        15⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        15⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        13⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        13⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        13⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        11⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        11⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        11⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        9⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        9⤵
        
        PID:440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        9⤵
        
        PID:976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        7⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        7⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        7⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        5⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        5⤵
        
        PID:2032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        5⤵
        
        PID:380
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:2024
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:1824
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1A7C19~1.EXE > nul
    3⤵
    - Deletes itself
    PID:2632
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:2580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1259713224-384533756-1202057120240013661-2268709086208021671394559161-670569197"
1⤵
PID:976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-120525622812481544231374961644728209841109872589719012017-6155209151765942296"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "987077724-638199253137912068-970003098-2048875978-17676450928920505821426565288"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10039221695341178195096308101743058046-1785560000-1261886041-528580682-432728872"
1⤵
PID:2892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13162038311376114922-178896449513643400851191553728-17532261871949759984-1777453765"
1⤵
PID:2332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-556100943659011129-1356995967-1476473553454094380-166302395-2598816121625032340"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1491492842-1815976157743907011524048538-1991658612187682667318225552651142681036"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\drivers\etc\hosts

Filesize
11KB

MD5
59aab3d9a7e6ee0da9573dbc9d599d34

SHA1
4390523b2ee560cde667cbb66605e0cea2007703

SHA256
3f959051ecc15ea27c23af941d1f7292ef776cef25b2b28409ac4c25188c76a5

SHA512
d999b0f3c57648d4903228c2221c48260f38ba036a4bb27246e76d7143dd5da6e041f1d9fc7044617c92349df8ad2cf3e396c83ef41aa1013a43635fbba1ea06

Download Submit
\Windows\SysWOW64\symrestore.exe

Filesize
50KB

MD5
1a7c1927f515eeec926a21d5e91e12da

SHA1
3c5c6802372c32477ff5c11c1e59979f50752730

SHA256
a9524f30aaff503ab58af21556160282929edb8f72b81efc979dd8510f6129c2

SHA512
d0581ced6aad504a9feff58e27c9a465471d60aa531afcbde0a3bbaf04d27c2f045037577dcae6f5c2b2f263b891be5c1e89d838147101974a7e02a44e0ec853

Download Submit
memory/688-187-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/744-431-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/992-91-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1392-117-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1652-140-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2172-13-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2232-12-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2232-16-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2232-14-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2232-0-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2232-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2232-6-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2232-4-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2232-2-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2584-166-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2588-45-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2780-65-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2912-714-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads