a9524f30aaff503ab58af21556160282929edb8f72b81efc979dd8510f6129c2

Analysis

max time kernel
165s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a7c1927f515eeec926a21d5e91e12da.exe
Size

50KB
MD5

1a7c1927f515eeec926a21d5e91e12da
SHA1

3c5c6802372c32477ff5c11c1e59979f50752730
SHA256

a9524f30aaff503ab58af21556160282929edb8f72b81efc979dd8510f6129c2
SHA512

d0581ced6aad504a9feff58e27c9a465471d60aa531afcbde0a3bbaf04d27c2f045037577dcae6f5c2b2f263b891be5c1e89d838147101974a7e02a44e0ec853
SSDEEP

768:BHReXvU8CVG6qDfQlPdXsz56b0Rw4zXn4hie7UXrM0gCs2H4rdxO2+:BHReXoVXfj6cushlkPZ2dU2+

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
63	2640	CMD.exe
67	2640	CMD.exe

Disables RegEdit via registry modification 27 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	1a7c1927f515eeec926a21d5e91e12da.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symrestore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	cmd.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	1a7c1927f515eeec926a21d5e91e12da.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symrestore.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Conhost.exe

Checks computer location settings 2 TTPs 22 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	1a7c1927f515eeec926a21d5e91e12da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	CMD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	symrestore.exe

Executes dropped EXE 56 IoCs

pid	Process
5100	symrestore.exe
4580	symrestore.exe
1036	Conhost.exe
4660	symrestore.exe
4212	symrestore.exe
1620	symrestore.exe
4784	symrestore.exe
1932	symrestore.exe
3756	symrestore.exe
536	symrestore.exe
220	symrestore.exe
4732	Process not Found
1692	symrestore.exe
2952	symrestore.exe
2640	sihclient.exe
4516	symrestore.exe
1844	CMD.exe
3876	symrestore.exe
2932	symrestore.exe
3952	symrestore.exe
4376	Conhost.exe
2244	cmd.exe
4372	CMD.exe
2932	symrestore.exe
3992	CMD.exe
4208	symrestore.exe
4756	Conhost.exe
464	Conhost.exe
4568	symrestore.exe
3556	symrestore.exe
228	symrestore.exe
4808	Conhost.exe
2536	Conhost.exe
808	Conhost.exe
4528	CMD.exe
4784	symrestore.exe
5080	cmd.exe
1620	symrestore.exe
4280	Conhost.exe
1940	symrestore.exe
5112	CMD.exe
3868	Conhost.exe
4624	cmd.exe
4992	cmd.exe
952	symrestore.exe
4040	symrestore.exe
4080	symrestore.exe
1368	Conhost.exe
3548	CMD.exe
1144	symrestore.exe
976	svchost.exe
2156	symrestore.exe
720	Conhost.exe
3556	symrestore.exe
4280	Conhost.exe
228	CMD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3940-0-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3940-1-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3940-2-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3940-6-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3940-7-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3940-8-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4580-79-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4580-81-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4580-82-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1620-110-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1620-111-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1620-113-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1932-126-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1932-129-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1932-128-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/536-142-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/536-143-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/536-144-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4516-186-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3876-201-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3876-203-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3952-219-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/2244-235-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4208-265-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/808-325-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1620-350-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4040-398-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/228-461-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4572-474-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/916-510-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/916-512-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/2232-525-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1248-633-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/2300-669-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/5100-719-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/5100-721-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/944-781-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1728-807-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/2248-926-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1340-999-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1340-1002-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/400-1063-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4720-1100-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/2848-1135-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/2848-1138-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/5100-1176-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/5100-1174-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/2984-1211-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/2984-1214-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3016-1286-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1364-1334-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3748-1360-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3984-1374-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1340-1386-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3352-1423-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4372-1493-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1352-1571-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4956-1594-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3496-1620-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/2260-1644-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/2292-1695-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3332-1755-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4820-1767-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3632-1805-0x0000000010000000-0x0000000010014000-memory.dmp	upx

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	1a7c1927f515eeec926a21d5e91e12da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	CMD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	symrestore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Restore Service = "symrestore.exe"	cmd.exe

Drops file in System32 directory 56 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	Conhost.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	Process not Found
File created	C:\Windows\SysWOW64\symrestore.exe	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	cmd.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	Process not Found
File created	C:\Windows\SysWOW64\symrestore.exe	cmd.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	Conhost.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	Conhost.exe
File created	C:\Windows\SysWOW64\symrestore.exe	1a7c1927f515eeec926a21d5e91e12da.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	1a7c1927f515eeec926a21d5e91e12da.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	Conhost.exe
File created	C:\Windows\SysWOW64\symrestore.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	Conhost.exe
File created	C:\Windows\SysWOW64\symrestore.exe	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File created	C:\Windows\SysWOW64\symrestore.exe	Conhost.exe
File created	C:\Windows\SysWOW64\symrestore.exe	CMD.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	CMD.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe
File opened for modification	C:\Windows\SysWOW64\symrestore.exe	symrestore.exe

Suspicious use of SetThreadContext 28 IoCs

description	pid	Process	procid_target
PID 3984 set thread context of 3940	3984	1a7c1927f515eeec926a21d5e91e12da.exe	89
PID 5100 set thread context of 4580	5100	symrestore.exe	95
PID 1036 set thread context of 4660	1036	Conhost.exe	114
PID 4212 set thread context of 1620	4212	symrestore.exe	128
PID 4784 set thread context of 1932	4784	symrestore.exe	136
PID 3756 set thread context of 536	3756	symrestore.exe	147
PID 1692 set thread context of 2952	1692	symrestore.exe	170
PID 2640 set thread context of 4516	2640	sihclient.exe	190
PID 1844 set thread context of 3876	1844	CMD.exe	203
PID 2932 set thread context of 3952	2932	symrestore.exe	215
PID 4376 set thread context of 2244	4376	Conhost.exe	490
PID 4372 set thread context of 2932	4372	CMD.exe	240
PID 3992 set thread context of 4208	3992	CMD.exe	246
PID 4756 set thread context of 464	4756	Conhost.exe	522
PID 4568 set thread context of 3556	4568	symrestore.exe	458
PID 228 set thread context of 4808	228	symrestore.exe	627
PID 2536 set thread context of 808	2536	Conhost.exe	622
PID 4528 set thread context of 4784	4528	CMD.exe	314
PID 5080 set thread context of 1620	5080	cmd.exe	325
PID 4280 set thread context of 1940	4280	Conhost.exe	332
PID 5112 set thread context of 3868	5112	CMD.exe	564
PID 4624 set thread context of 4992	4624	cmd.exe	521
PID 952 set thread context of 4040	952	symrestore.exe	370
PID 4080 set thread context of 1368	4080	symrestore.exe	795
PID 3548 set thread context of 1144	3548	CMD.exe	394
PID 976 set thread context of 2156	976	svchost.exe	733
PID 720 set thread context of 3556	720	Conhost.exe	458
PID 4280 set thread context of 228	4280	Conhost.exe	693

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1a7c1927f515eeec926a21d5e91e12da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CMD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symrestore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3940	1a7c1927f515eeec926a21d5e91e12da.exe
Token: SeIncBasePriorityPrivilege	4580	symrestore.exe
Token: SeIncBasePriorityPrivilege	4660	symrestore.exe
Token: SeIncBasePriorityPrivilege	1620	symrestore.exe
Token: SeIncBasePriorityPrivilege	1932	symrestore.exe
Token: SeIncBasePriorityPrivilege	536	symrestore.exe
Token: SeIncBasePriorityPrivilege	4732	Process not Found
Token: SeIncBasePriorityPrivilege	2952	symrestore.exe
Token: SeIncBasePriorityPrivilege	4516	symrestore.exe
Token: SeIncBasePriorityPrivilege	3876	symrestore.exe
Token: SeIncBasePriorityPrivilege	3952	symrestore.exe
Token: SeIncBasePriorityPrivilege	2244	cmd.exe
Token: SeIncBasePriorityPrivilege	2932	symrestore.exe
Token: SeIncBasePriorityPrivilege	4208	symrestore.exe
Token: SeIncBasePriorityPrivilege	464	Conhost.exe
Token: SeIncBasePriorityPrivilege	3556	symrestore.exe
Token: SeIncBasePriorityPrivilege	4808	Conhost.exe
Token: SeIncBasePriorityPrivilege	808	Conhost.exe
Token: SeIncBasePriorityPrivilege	4784	symrestore.exe
Token: SeIncBasePriorityPrivilege	1620	symrestore.exe
Token: SeIncBasePriorityPrivilege	1940	symrestore.exe
Token: SeIncBasePriorityPrivilege	3868	Conhost.exe
Token: SeIncBasePriorityPrivilege	4992	cmd.exe
Token: SeIncBasePriorityPrivilege	4040	symrestore.exe
Token: SeIncBasePriorityPrivilege	1368	Conhost.exe
Token: SeIncBasePriorityPrivilege	1144	symrestore.exe
Token: SeIncBasePriorityPrivilege	2156	symrestore.exe
Token: SeIncBasePriorityPrivilege	3556	symrestore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 3940	3984	1a7c1927f515eeec926a21d5e91e12da.exe	89
PID 3984 wrote to memory of 3940	3984	1a7c1927f515eeec926a21d5e91e12da.exe	89
PID 3984 wrote to memory of 3940	3984	1a7c1927f515eeec926a21d5e91e12da.exe	89
PID 3984 wrote to memory of 3940	3984	1a7c1927f515eeec926a21d5e91e12da.exe	89
PID 3984 wrote to memory of 3940	3984	1a7c1927f515eeec926a21d5e91e12da.exe	89
PID 3984 wrote to memory of 3940	3984	1a7c1927f515eeec926a21d5e91e12da.exe	89
PID 3984 wrote to memory of 3940	3984	1a7c1927f515eeec926a21d5e91e12da.exe	89
PID 3984 wrote to memory of 3940	3984	1a7c1927f515eeec926a21d5e91e12da.exe	89
PID 3940 wrote to memory of 5100	3940	1a7c1927f515eeec926a21d5e91e12da.exe	92
PID 3940 wrote to memory of 5100	3940	1a7c1927f515eeec926a21d5e91e12da.exe	92
PID 3940 wrote to memory of 5100	3940	1a7c1927f515eeec926a21d5e91e12da.exe	92
PID 3940 wrote to memory of 2344	3940	1a7c1927f515eeec926a21d5e91e12da.exe	93
PID 3940 wrote to memory of 2344	3940	1a7c1927f515eeec926a21d5e91e12da.exe	93
PID 3940 wrote to memory of 2344	3940	1a7c1927f515eeec926a21d5e91e12da.exe	93
PID 3940 wrote to memory of 1704	3940	1a7c1927f515eeec926a21d5e91e12da.exe	97
PID 3940 wrote to memory of 1704	3940	1a7c1927f515eeec926a21d5e91e12da.exe	97
PID 3940 wrote to memory of 1704	3940	1a7c1927f515eeec926a21d5e91e12da.exe	97
PID 3940 wrote to memory of 3444	3940	1a7c1927f515eeec926a21d5e91e12da.exe	96
PID 3940 wrote to memory of 3444	3940	1a7c1927f515eeec926a21d5e91e12da.exe	96
PID 3940 wrote to memory of 3444	3940	1a7c1927f515eeec926a21d5e91e12da.exe	96
PID 3940 wrote to memory of 4000	3940	1a7c1927f515eeec926a21d5e91e12da.exe	94
PID 3940 wrote to memory of 4000	3940	1a7c1927f515eeec926a21d5e91e12da.exe	94
PID 3940 wrote to memory of 4000	3940	1a7c1927f515eeec926a21d5e91e12da.exe	94
PID 3940 wrote to memory of 3100	3940	1a7c1927f515eeec926a21d5e91e12da.exe	99
PID 3940 wrote to memory of 3100	3940	1a7c1927f515eeec926a21d5e91e12da.exe	99
PID 3940 wrote to memory of 3100	3940	1a7c1927f515eeec926a21d5e91e12da.exe	99
PID 5100 wrote to memory of 4580	5100	symrestore.exe	95
PID 5100 wrote to memory of 4580	5100	symrestore.exe	95
PID 5100 wrote to memory of 4580	5100	symrestore.exe	95
PID 5100 wrote to memory of 4580	5100	symrestore.exe	95
PID 5100 wrote to memory of 4580	5100	symrestore.exe	95
PID 5100 wrote to memory of 4580	5100	symrestore.exe	95
PID 5100 wrote to memory of 4580	5100	symrestore.exe	95
PID 5100 wrote to memory of 4580	5100	symrestore.exe	95
PID 4580 wrote to memory of 1036	4580	symrestore.exe	150
PID 4580 wrote to memory of 1036	4580	symrestore.exe	150
PID 4580 wrote to memory of 1036	4580	symrestore.exe	150
PID 4580 wrote to memory of 4084	4580	symrestore.exe	105
PID 4580 wrote to memory of 4084	4580	symrestore.exe	105
PID 4580 wrote to memory of 4084	4580	symrestore.exe	105
PID 4580 wrote to memory of 1248	4580	symrestore.exe	107
PID 4580 wrote to memory of 1248	4580	symrestore.exe	107
PID 4580 wrote to memory of 1248	4580	symrestore.exe	107
PID 4580 wrote to memory of 4440	4580	symrestore.exe	106
PID 4580 wrote to memory of 4440	4580	symrestore.exe	106
PID 4580 wrote to memory of 4440	4580	symrestore.exe	106
PID 4580 wrote to memory of 3532	4580	symrestore.exe	188
PID 4580 wrote to memory of 3532	4580	symrestore.exe	188
PID 4580 wrote to memory of 3532	4580	symrestore.exe	188
PID 4580 wrote to memory of 3080	4580	symrestore.exe	113
PID 4580 wrote to memory of 3080	4580	symrestore.exe	113
PID 4580 wrote to memory of 3080	4580	symrestore.exe	113
PID 1036 wrote to memory of 4660	1036	Conhost.exe	114
PID 1036 wrote to memory of 4660	1036	Conhost.exe	114
PID 1036 wrote to memory of 4660	1036	Conhost.exe	114
PID 1036 wrote to memory of 4660	1036	Conhost.exe	114
PID 1036 wrote to memory of 4660	1036	Conhost.exe	114
PID 1036 wrote to memory of 4660	1036	Conhost.exe	114
PID 1036 wrote to memory of 4660	1036	Conhost.exe	114
PID 1036 wrote to memory of 4660	1036	Conhost.exe	114
PID 4660 wrote to memory of 4212	4660	symrestore.exe	118
PID 4660 wrote to memory of 4212	4660	symrestore.exe	118
PID 4660 wrote to memory of 4212	4660	symrestore.exe	118
PID 4660 wrote to memory of 4812	4660	symrestore.exe	120

C:\Users\Admin\AppData\Local\Temp\1a7c1927f515eeec926a21d5e91e12da.exe
"C:\Users\Admin\AppData\Local\Temp\1a7c1927f515eeec926a21d5e91e12da.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\1a7c1927f515eeec926a21d5e91e12da.exe
  "C:\Users\Admin\AppData\Local\Temp\1a7c1927f515eeec926a21d5e91e12da.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\system32\symrestore.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\SysWOW64\symrestore.exe"
      4⤵
      Disables RegEdit via registry modification
      Drops file in Drivers directory
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        5⤵
        
        PID:1036
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        6⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4212
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        8⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4784
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        10⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3756
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        12⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        13⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        13⤵
        
        PID:916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        13⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        13⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        11⤵
        
        PID:556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        11⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        11⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        9⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        9⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        9⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        7⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        7⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        7⤵
        
        PID:1940
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:4084
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        5⤵
        
        PID:4440
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:1248
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        5⤵
        
        PID:3532
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        5⤵
        
        PID:3080
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:3444
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1A7C19~1.EXE > nul
    3⤵
    PID:3100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4316

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4732
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1692
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    - Disables RegEdit via registry modification
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        6⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        7⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        8⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        9⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        10⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        11⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        12⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        13⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        14⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        15⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        16⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        17⤵
        
        PID:464
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4568
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        19⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        20⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        20⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        20⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        20⤵
        
        PID:64
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        20⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        20⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        18⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        18⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        18⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        18⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        18⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        16⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        16⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        16⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        16⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        16⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        14⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        14⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        14⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        14⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        12⤵
        
        PID:2788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:756
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        13⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        14⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        15⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        16⤵
        
        PID:64
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4080
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        18⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        19⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        20⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        21⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        22⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        23⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        24⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        25⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        26⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        27⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        28⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        29⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        30⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        31⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        32⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        33⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        34⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        35⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        36⤵
        
        PID:468
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        37⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        38⤵
        
        PID:316
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        39⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        40⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        41⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        42⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        43⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        44⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        45⤵
        
        PID:880
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        46⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        47⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        48⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        49⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        50⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        51⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        52⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        53⤵
        
        PID:944
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        54⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        55⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        56⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        57⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        58⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        59⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        60⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        61⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        62⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        63⤵
        
        PID:400
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        64⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        65⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        66⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        67⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        68⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        69⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        70⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        71⤵
        
        PID:464
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        72⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        73⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        74⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        75⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        76⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        77⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        78⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        79⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        80⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        81⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        82⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        83⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        84⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        85⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        86⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        86⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        86⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        86⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        86⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        86⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        84⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        84⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        85⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        86⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        86⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        86⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        86⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        86⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        86⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        84⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        84⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        84⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        82⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        82⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        83⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        84⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        85⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        86⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        86⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        86⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        86⤵
        
        PID:316
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        87⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        86⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        86⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        84⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        84⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        84⤵
        
        PID:748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        84⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        84⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        82⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        82⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        82⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        80⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        80⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        80⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        80⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        80⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        78⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        78⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        78⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        78⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        78⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        76⤵
        
        PID:400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        76⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        76⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        76⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        76⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        74⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        74⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        74⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        74⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        74⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        72⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        72⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        72⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        72⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        72⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        70⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        70⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        70⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        71⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        72⤵
        
        PID:64
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        73⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        74⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        75⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        76⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        76⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        76⤵
        
        PID:760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        76⤵
        
        PID:748
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        77⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        78⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        78⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        78⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        78⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        78⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        78⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        76⤵
        
        PID:64
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        76⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        74⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        74⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        74⤵
        
        PID:232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        74⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        74⤵
        
        PID:440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        74⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        72⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        72⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        72⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        72⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        72⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        70⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        70⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        68⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        68⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        68⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        68⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        68⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        66⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        66⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        66⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        66⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        66⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        64⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        64⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        64⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        64⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        64⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        62⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        62⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        62⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        62⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        62⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        60⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        60⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        60⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        60⤵
        
        PID:464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        60⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        58⤵
        
        PID:1708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        58⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        58⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        58⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        59⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        60⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        60⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        60⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        61⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        60⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        60⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        60⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        58⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        56⤵
        
        PID:232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        56⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        56⤵
        
        PID:624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        56⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        56⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        54⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        54⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        54⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        54⤵
        
        PID:440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        54⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        52⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        52⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        52⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        52⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        52⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        50⤵
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        50⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        50⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        50⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        50⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        48⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        48⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        48⤵
        
        PID:468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        48⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        48⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        46⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        46⤵
        
        PID:556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        46⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        46⤵
        
        PID:1248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        46⤵
        
        PID:756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        44⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        44⤵
        
        PID:2288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        44⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        44⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        42⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        42⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        42⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        42⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        42⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        40⤵
        
        PID:672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        40⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        40⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        40⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        40⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        38⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        38⤵
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        38⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        38⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        38⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        36⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        36⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        36⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        36⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        36⤵
        Blocklisted process makes network request
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        34⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        34⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        34⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        34⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        34⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        32⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        32⤵
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        32⤵
        
        PID:1192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        32⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        32⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        30⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        30⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        30⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        30⤵
        
        PID:1512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        28⤵
        
        PID:2016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        30⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        28⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        28⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        28⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        28⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        26⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        26⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        26⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        26⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        26⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        24⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        24⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        24⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        24⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        24⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        22⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        22⤵
        
        PID:4380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        22⤵
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        22⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        22⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        20⤵
        
        PID:1844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        20⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        20⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        20⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        20⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        18⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        18⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        18⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        18⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        16⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        16⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        16⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        16⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        16⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        14⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        14⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        14⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        14⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        14⤵
        
        PID:2852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        12⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        12⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        12⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        12⤵
        
        PID:2352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        10⤵
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        10⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        10⤵
        
        PID:916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        10⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        10⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        8⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        8⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        8⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        8⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        8⤵
        
        PID:4876
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        6⤵
        
        PID:4040
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        6⤵
        
        PID:4820
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        6⤵
        
        PID:2180
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        6⤵
        
        PID:1552
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        6⤵
        
        PID:3092
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:4848
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:3952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:4500
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:3976
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:3832
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:2440
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:4868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4320

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv j2EIZcMRpEq3aZLf9cyQ0g.0.2
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2640

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4808
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:808
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:4528
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        6⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        7⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        8⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        9⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        10⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        11⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        12⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        13⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:952
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        15⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        16⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        17⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        18⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        19⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        20⤵
        
        PID:976
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        21⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        22⤵
        
        PID:720
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        23⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        24⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:228
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        26⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        27⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        28⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        29⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        30⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        31⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        32⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        32⤵
        
        PID:556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        32⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        32⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        32⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        32⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        30⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        30⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        30⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        30⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        30⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        28⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        28⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        28⤵
        
        PID:880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        28⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        28⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        26⤵
        
        PID:1380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        26⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        26⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        26⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        26⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        24⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        24⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        24⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        24⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        24⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        22⤵
        
        PID:3016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        22⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        22⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        22⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        22⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        20⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        20⤵
        
        PID:232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        20⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        20⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        20⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        18⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        18⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        18⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        18⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        18⤵
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        16⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        16⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        16⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        16⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        14⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        14⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        14⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        14⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        14⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        12⤵
        
        PID:3832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        12⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        12⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        12⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        12⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        10⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        10⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        10⤵
        
        PID:1552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        10⤵
        
        PID:4780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        10⤵
        
        PID:4000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        8⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        8⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        8⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        8⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        8⤵
        
        PID:3972
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        6⤵
        
        PID:1512
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        6⤵
        
        PID:3136
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        6⤵
        
        PID:3092
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        6⤵
        
        PID:4848
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        6⤵
        
        PID:4456
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:4756
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:1144
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:1260
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:3844
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:4084
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:3352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3636

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:916
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:1236
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:4968
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:4352
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:2788
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:3124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4372
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:2844
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:1692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4684

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:2172
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:3984
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:5112
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:2852
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        
        PID:2724
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        6⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        7⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        8⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        8⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        8⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        8⤵
        
        PID:468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        8⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        8⤵
        
        PID:4436
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        6⤵
        
        PID:4372
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        6⤵
        
        PID:3352
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        6⤵
        
        PID:4632
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        6⤵
        
        PID:3680
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        6⤵
        
        PID:760
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:4444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:2728
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:4536
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:1068
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:1704
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:4632

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:2248
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:4684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:2556
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:2008
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:5080
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:4288
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:5100

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:400
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:3984
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:4840
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        
        PID:3576
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        6⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        7⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        8⤵
        
        PID:228
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        9⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        10⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        11⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        12⤵
        
        PID:320
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        13⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        14⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        15⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        16⤵
        
        PID:760
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        17⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        18⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        19⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        20⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        21⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        22⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        22⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        22⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        22⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        23⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        24⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        22⤵
        
        PID:844
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        22⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        21⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        22⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        23⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        24⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        25⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        26⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        23⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        22⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        20⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        20⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        20⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        20⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        20⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        18⤵
        
        PID:228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        18⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        18⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        18⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        14⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        12⤵
        
        PID:672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        12⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        12⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        12⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        13⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        14⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        14⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        12⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        10⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        10⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        10⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        10⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        10⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        8⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        8⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        8⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        8⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        8⤵
        
        PID:4492
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        6⤵
        
        PID:1696
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        6⤵
        
        PID:316
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        6⤵
        
        PID:1800
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        6⤵
        
        PID:844
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        6⤵
        
        PID:5076
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        6⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        7⤵
        
        PID:3608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:4104
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:4308
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:440
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:1528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:5112
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:1580
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:760
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:5076

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:4956
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:2556
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:5048
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:1328
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:4444
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:2852

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5100
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:4176
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:5112
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:4632
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:1140
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:4884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:3264
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:5104
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:228
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        
        PID:3960
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        6⤵
        
        PID:3016
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        6⤵
        
        PID:1068
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        6⤵
        
        PID:5104
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        6⤵
        
        PID:4308
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        6⤵
        
        PID:968
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        6⤵
        
        PID:4376
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:4400
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:440
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:4292
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:3356
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:3092

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4888
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:3332
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:2844
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        6⤵
        
        PID:1500
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        6⤵
        
        PID:3756
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        6⤵
        
        PID:2180
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        6⤵
        
        PID:4852
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        6⤵
        
        PID:1340
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        6⤵
        
        PID:1840
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:4308
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:1844
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        
        PID:1352
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:3452
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:4040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:2508
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:1340
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:1628
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:4760
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:4400

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:3756
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:4372
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:1364
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:2844
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        
        PID:3264
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        6⤵
        
        PID:4880
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        6⤵
        
        PID:4852
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        6⤵
        
        PID:4380
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        6⤵
        
        PID:1744
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        6⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        7⤵
        
        PID:4788
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        6⤵
        
        PID:3576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:2728
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        
        PID:5084
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        6⤵
        
        PID:3308
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        6⤵
        
        PID:3576
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        6⤵
        
        PID:1840
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:4760
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:844
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:2656
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:3736
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:4876
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:3452
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:4176

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4376

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:3972
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:4372
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:3356
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:3132
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:3796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:1708

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:3352

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4880
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:4696
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:3628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:1328
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        
        PID:1068
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        6⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        7⤵
        
        PID:880
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        8⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        9⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        10⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        10⤵
        
        PID:228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        10⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        10⤵
        
        PID:3152
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:4040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:2852
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:4388
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:4256

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:3608
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:4696
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:4252
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\SysWOW64\symrestore.exe"
  2⤵
  PID:4436
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:5048

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4960
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:4436
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:2292
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:1528
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        
        PID:2620
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        6⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        7⤵
        
        PID:2064
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:4852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:1908
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:1844
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:2620

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:3344

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:3528
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:672

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\system32\symrestore.exe"
1⤵
PID:4864
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\SysWOW64\symrestore.exe"
  2⤵
  PID:4632

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:3332
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:3356

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4820
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:1340
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:3796

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\system32\symrestore.exe"
1⤵
PID:1340
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\SysWOW64\symrestore.exe"
  2⤵
  PID:3632
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\system32\symrestore.exe"
    3⤵
    PID:1580
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\SysWOW64\symrestore.exe"
      4⤵
      PID:4684

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4040
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:4852
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:1696

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:1648
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:1368

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:3948
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:4884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:760
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:4740
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:4040
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:2656
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:844

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:816
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:4436

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:2272

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:916
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\SysWOW64\symrestore.exe"
  2⤵
  PID:5104

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:2880

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:1800
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:3092
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:1948
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:316
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        
        PID:2328
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        6⤵
        
        PID:3020
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        6⤵
        
        PID:4024

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5076

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:468

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:4388

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:228
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:4780

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:2248
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:5020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:3784

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:3612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:5176
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:5156
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:5148
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:5140
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:5132

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:5492
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:5476
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:5468
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:5460

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:5832
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:5816
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:5808
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:5800
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:5792
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:5776

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5912
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:6140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:3164
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:6132
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:6124

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5352
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:5980

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:2096

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4488
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:5664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:3132

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4780

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:5824

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:6064
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:5408
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:5708
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:5376
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        
        PID:5296
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        6⤵
        
        PID:5304
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:4280
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:468

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:4040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:6092

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:6120
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:6124
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:5016
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:5700
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:6004
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:5992
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:4352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:3300
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:6096
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:1500
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:5176
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:6056

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:1808
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:4876
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:5152
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:748

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5640
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:5280
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:6016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:5608
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:4892
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:5904
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:5320

C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
1⤵
PID:5868

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:6128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:1500
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:4492
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:1592
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:5428
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:5756

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:760
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:5356
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:5760
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:5720
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:2984
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:5364

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:5140
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:4876
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:5308
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:2656
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:3012
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:1708

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5888
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:5904
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:5956
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:5804
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:5284
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:5288
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:5672

C:\Windows\SysWOW64\symrestore.exe
"C:\Windows\SysWOW64\symrestore.exe"
1⤵
PID:5484
- C:\Windows\SysWOW64\symrestore.exe
  "C:\Windows\system32\symrestore.exe"
  2⤵
  PID:5980
- - C:\Windows\SysWOW64\symrestore.exe
    "C:\Windows\SysWOW64\symrestore.exe"
    3⤵
    PID:1780
  - - C:\Windows\SysWOW64\symrestore.exe
      "C:\Windows\system32\symrestore.exe"
      4⤵
      PID:612
    - - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        5⤵
        
        PID:2004
      - C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        6⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        7⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\system32\symrestore.exe"
        8⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\symrestore.exe
        
        "C:\Windows\SysWOW64\symrestore.exe"
        9⤵
        
        PID:3264
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
        6⤵
        
        PID:4380
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        6⤵
        
        PID:4024
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        6⤵
        
        PID:5748
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        6⤵
        
        PID:2728
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        6⤵
        
        PID:5256
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
      4⤵
      PID:5756
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
      4⤵
      PID:916
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.com
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMRES~1.EXE > nul
  2⤵
  PID:5728
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
  2⤵
  PID:5108
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
  2⤵
  PID:5780
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.com
  2⤵
  PID:5600
- C:\Windows\SysWOW64\CMD.exe
  CMD /C del /F /S /Q *.zip
  2⤵
  PID:5368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\symrestore.exe

Filesize
50KB

MD5
1a7c1927f515eeec926a21d5e91e12da

SHA1
3c5c6802372c32477ff5c11c1e59979f50752730

SHA256
a9524f30aaff503ab58af21556160282929edb8f72b81efc979dd8510f6129c2

SHA512
d0581ced6aad504a9feff58e27c9a465471d60aa531afcbde0a3bbaf04d27c2f045037577dcae6f5c2b2f263b891be5c1e89d838147101974a7e02a44e0ec853

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
11KB

MD5
59aab3d9a7e6ee0da9573dbc9d599d34

SHA1
4390523b2ee560cde667cbb66605e0cea2007703

SHA256
3f959051ecc15ea27c23af941d1f7292ef776cef25b2b28409ac4c25188c76a5

SHA512
d999b0f3c57648d4903228c2221c48260f38ba036a4bb27246e76d7143dd5da6e041f1d9fc7044617c92349df8ad2cf3e396c83ef41aa1013a43635fbba1ea06

Download Submit
memory/228-461-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/400-1063-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/536-144-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/536-143-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/536-142-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/808-325-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/916-510-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/916-512-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/944-781-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1036-93-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1248-633-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1340-1386-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1340-999-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1340-1002-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1352-1571-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1364-1334-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1620-111-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1620-110-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1620-113-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1620-350-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1728-807-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1932-126-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1932-129-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1932-128-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2232-525-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2244-235-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2248-926-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2260-1644-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2272-1983-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2292-1695-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2300-669-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2848-1138-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2848-1135-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2984-1211-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2984-1214-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3016-1286-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3332-1755-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3352-1423-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3496-1620-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3632-1805-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3748-1360-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3756-141-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3876-201-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3876-203-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3940-0-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3940-7-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3940-6-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3940-1-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3940-8-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3940-2-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3952-219-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3984-5-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3984-1374-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4040-398-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4208-265-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4212-108-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4372-1493-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4516-186-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4572-474-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4580-81-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4580-82-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4580-79-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4720-1100-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4780-2224-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4784-125-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4820-1767-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4956-1594-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/5100-1176-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/5100-1174-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/5100-78-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/5100-721-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/5100-719-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/5104-2055-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/5240-2809-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/5352-2188-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/5884-2532-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/5888-2396-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/5972-2344-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/6052-2629-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/6128-2360-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads