Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
21s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26/06/2024, 20:09
Static task
static1
Behavioral task
behavioral1
Sample
1347a5850958dce87216411605fc6943_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1347a5850958dce87216411605fc6943_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1347a5850958dce87216411605fc6943_JaffaCakes118.exe
-
Size
62KB
-
MD5
1347a5850958dce87216411605fc6943
-
SHA1
4ffea76d2e204520411667bd6ef0f62b0ba4c807
-
SHA256
c107d769c98d35f4066a02fb7bd36fb7397f85f6f09f76add54a97dfa883f11c
-
SHA512
632b863daa9d3e2bc874a59d54310f51d8f592c5862dbf6297cd208f416bd89403f582ede680678eb18d1711f107b475efcdc7cd76884f1123577dc53063458c
-
SSDEEP
768:TEmqHyjzWTadaJcCi1WzCfoVPelpUqzj2eWrnJxTUJLdIBDYQQzURIKR6Lr8W/2W:TMIUJcljoViSDrzTUJpItzMURiLwqTh5
Malware Config
Signatures
-
Disables RegEdit via registry modification 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 1347a5850958dce87216411605fc6943_JaffaCakes118.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe -
Executes dropped EXE 64 IoCs
pid Process 2808 symlsrc.exe 2988 symlsrc.exe 1732 symlsrc.exe 1896 symlsrc.exe 1584 symlsrc.exe 784 symlsrc.exe 592 symlsrc.exe 2328 symlsrc.exe 1920 symlsrc.exe 972 symlsrc.exe 2448 symlsrc.exe 2704 symlsrc.exe 2680 symlsrc.exe 2768 symlsrc.exe 2364 symlsrc.exe 1236 symlsrc.exe 1940 symlsrc.exe 1744 symlsrc.exe 2916 symlsrc.exe 2680 symlsrc.exe 1184 symlsrc.exe 1544 symlsrc.exe 2912 symlsrc.exe 1960 symlsrc.exe 1296 symlsrc.exe 2888 symlsrc.exe 1164 symlsrc.exe 1296 symlsrc.exe 3136 symlsrc.exe 3284 symlsrc.exe 3388 symlsrc.exe 3528 symlsrc.exe 3624 symlsrc.exe 3760 symlsrc.exe 3876 symlsrc.exe 4004 symlsrc.exe 1164 symlsrc.exe 3212 symlsrc.exe 3456 symlsrc.exe 3580 symlsrc.exe 3868 symlsrc.exe 2912 symlsrc.exe 3352 symlsrc.exe 3772 symlsrc.exe 3868 symlsrc.exe 3336 symlsrc.exe 3860 symlsrc.exe 3136 symlsrc.exe 4172 symlsrc.exe 4312 symlsrc.exe 4440 symlsrc.exe 4596 symlsrc.exe 4684 symlsrc.exe 4804 symlsrc.exe 4908 symlsrc.exe 5040 symlsrc.exe 4100 symlsrc.exe 4196 symlsrc.exe 4484 symlsrc.exe 4728 symlsrc.exe 4892 symlsrc.exe 3796 symlsrc.exe 4372 symlsrc.exe 4748 symlsrc.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power 1347a5850958dce87216411605fc6943_JaffaCakes118.exe -
Loads dropped DLL 64 IoCs
pid Process 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 2808 symlsrc.exe 2988 symlsrc.exe 2988 symlsrc.exe 1896 symlsrc.exe 1896 symlsrc.exe 784 symlsrc.exe 784 symlsrc.exe 2328 symlsrc.exe 2328 symlsrc.exe 972 symlsrc.exe 972 symlsrc.exe 2704 symlsrc.exe 2704 symlsrc.exe 2768 symlsrc.exe 2768 symlsrc.exe 1236 symlsrc.exe 1236 symlsrc.exe 1744 symlsrc.exe 1744 symlsrc.exe 2680 symlsrc.exe 2680 symlsrc.exe 1544 symlsrc.exe 1544 symlsrc.exe 1960 symlsrc.exe 1960 symlsrc.exe 2888 symlsrc.exe 2888 symlsrc.exe 1296 symlsrc.exe 1296 symlsrc.exe 3284 symlsrc.exe 3284 symlsrc.exe 3528 symlsrc.exe 3528 symlsrc.exe 3760 symlsrc.exe 3760 symlsrc.exe 4004 symlsrc.exe 4004 symlsrc.exe 3212 symlsrc.exe 3212 symlsrc.exe 3580 symlsrc.exe 3580 symlsrc.exe 2912 symlsrc.exe 2912 symlsrc.exe 3772 symlsrc.exe 3772 symlsrc.exe 3336 symlsrc.exe 3336 symlsrc.exe 3136 symlsrc.exe 3136 symlsrc.exe 4312 symlsrc.exe 4312 symlsrc.exe 4596 symlsrc.exe 4596 symlsrc.exe 4804 symlsrc.exe 4804 symlsrc.exe 5040 symlsrc.exe 5040 symlsrc.exe 4196 symlsrc.exe 4196 symlsrc.exe 4728 symlsrc.exe 4728 symlsrc.exe 3796 symlsrc.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2244 set thread context of 2404 2244 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 28 PID 2808 set thread context of 2988 2808 symlsrc.exe 35 PID 1732 set thread context of 1896 1732 symlsrc.exe 52 PID 1584 set thread context of 784 1584 symlsrc.exe 63 PID 592 set thread context of 2328 592 symlsrc.exe 75 PID 1920 set thread context of 972 1920 symlsrc.exe 80 PID 2448 set thread context of 2704 2448 symlsrc.exe 99 PID 2680 set thread context of 2768 2680 symlsrc.exe 111 PID 2364 set thread context of 1236 2364 symlsrc.exe 123 PID 1940 set thread context of 1744 1940 symlsrc.exe 135 PID 2916 set thread context of 2680 2916 symlsrc.exe 147 PID 1184 set thread context of 1544 1184 symlsrc.exe 159 PID 2912 set thread context of 1960 2912 symlsrc.exe 186 PID 1296 set thread context of 2888 1296 symlsrc.exe 183 PID 1164 set thread context of 1296 1164 symlsrc.exe 195 PID 3136 set thread context of 3284 3136 symlsrc.exe 207 PID 3388 set thread context of 3528 3388 symlsrc.exe 219 PID 3624 set thread context of 3760 3624 symlsrc.exe 231 PID 3876 set thread context of 4004 3876 symlsrc.exe 243 PID 1164 set thread context of 3212 1164 symlsrc.exe 255 PID 3456 set thread context of 3580 3456 symlsrc.exe 262 PID 3868 set thread context of 2912 3868 symlsrc.exe 279 PID 3352 set thread context of 3772 3352 symlsrc.exe 291 PID 3868 set thread context of 3336 3868 symlsrc.exe 299 PID 3860 set thread context of 3136 3860 symlsrc.exe 315 PID 4172 set thread context of 4312 4172 symlsrc.exe 327 PID 4440 set thread context of 4596 4440 symlsrc.exe 340 PID 4684 set thread context of 4804 4684 symlsrc.exe 351 PID 4908 set thread context of 5040 4908 symlsrc.exe 363 PID 4100 set thread context of 4196 4100 symlsrc.exe 373 PID 4484 set thread context of 4728 4484 symlsrc.exe 387 PID 4892 set thread context of 3796 4892 symlsrc.exe 399 PID 4372 set thread context of 4748 4372 symlsrc.exe 411 PID 4076 set thread context of 4604 4076 symlsrc.exe 638 PID 4756 set thread context of 4392 4756 symlsrc.exe 436 PID 5188 set thread context of 5324 5188 symlsrc.exe 447 PID 5412 set thread context of 5552 5412 symlsrc.exe 458 PID 5676 set thread context of 5812 5676 symlsrc.exe 471 PID 5916 set thread context of 6048 5916 symlsrc.exe 483 PID 4604 set thread context of 5192 4604 symlsrc.exe 495 PID 5520 set thread context of 5772 5520 symlsrc.exe 507 PID 5896 set thread context of 4336 5896 symlsrc.exe 519 PID 5360 set thread context of 5836 5360 symlsrc.exe 530 PID 4856 set thread context of 5784 4856 symlsrc.exe 606 PID 6140 set thread context of 5736 6140 symlsrc.exe 550 PID 6304 set thread context of 6428 6304 symlsrc.exe 567 PID 6544 set thread context of 6636 6544 symlsrc.exe 577 PID 6776 set thread context of 6880 6776 symlsrc.exe 590 PID 7024 set thread context of 7144 7024 symlsrc.exe 603 PID 6032 set thread context of 6448 6032 symlsrc.exe 615 PID 6612 set thread context of 6892 6612 symlsrc.exe 627 PID 6988 set thread context of 6196 6988 symlsrc.exe 639 PID 6524 set thread context of 7032 6524 symlsrc.exe 651 PID 6168 set thread context of 7016 6168 symlsrc.exe 663 PID 6772 set thread context of 5876 6772 symlsrc.exe 731 PID 7340 set thread context of 7468 7340 symlsrc.exe 687 PID 7576 set thread context of 7720 7576 symlsrc.exe 699 PID 7820 set thread context of 7948 7820 symlsrc.exe 711 PID 8060 set thread context of 7204 8060 symlsrc.exe 723 PID 7188 set thread context of 7496 7188 symlsrc.exe 735 PID 7736 set thread context of 7820 7736 symlsrc.exe 748 PID 8148 set thread context of 7408 8148 symlsrc.exe 759 PID 7796 set thread context of 7816 7796 symlsrc.exe 770 PID 7536 set thread context of 8068 7536 symlsrc.exe 783 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2988 symlsrc.exe Token: SeIncBasePriorityPrivilege 1896 symlsrc.exe Token: SeIncBasePriorityPrivilege 784 symlsrc.exe Token: SeIncBasePriorityPrivilege 2328 symlsrc.exe Token: SeIncBasePriorityPrivilege 972 symlsrc.exe Token: SeIncBasePriorityPrivilege 2704 symlsrc.exe Token: SeIncBasePriorityPrivilege 2768 symlsrc.exe Token: SeIncBasePriorityPrivilege 1236 symlsrc.exe Token: SeIncBasePriorityPrivilege 1744 symlsrc.exe Token: SeIncBasePriorityPrivilege 2680 symlsrc.exe Token: SeIncBasePriorityPrivilege 1544 symlsrc.exe Token: SeIncBasePriorityPrivilege 1960 symlsrc.exe Token: SeIncBasePriorityPrivilege 2888 symlsrc.exe Token: SeIncBasePriorityPrivilege 1296 symlsrc.exe Token: SeIncBasePriorityPrivilege 3284 symlsrc.exe Token: SeIncBasePriorityPrivilege 3528 symlsrc.exe Token: SeIncBasePriorityPrivilege 3760 symlsrc.exe Token: SeIncBasePriorityPrivilege 4004 symlsrc.exe Token: SeIncBasePriorityPrivilege 3212 symlsrc.exe Token: SeIncBasePriorityPrivilege 3580 symlsrc.exe Token: SeIncBasePriorityPrivilege 2912 symlsrc.exe Token: SeIncBasePriorityPrivilege 3772 symlsrc.exe Token: SeIncBasePriorityPrivilege 3336 symlsrc.exe Token: SeIncBasePriorityPrivilege 3136 symlsrc.exe Token: SeIncBasePriorityPrivilege 4312 symlsrc.exe Token: SeIncBasePriorityPrivilege 4596 symlsrc.exe Token: SeIncBasePriorityPrivilege 4804 symlsrc.exe Token: SeIncBasePriorityPrivilege 5040 symlsrc.exe Token: SeIncBasePriorityPrivilege 4196 symlsrc.exe Token: SeIncBasePriorityPrivilege 4728 symlsrc.exe Token: SeIncBasePriorityPrivilege 3796 symlsrc.exe Token: SeIncBasePriorityPrivilege 4748 symlsrc.exe Token: SeIncBasePriorityPrivilege 4604 symlsrc.exe Token: SeIncBasePriorityPrivilege 4392 symlsrc.exe Token: SeIncBasePriorityPrivilege 5324 symlsrc.exe Token: SeIncBasePriorityPrivilege 5552 symlsrc.exe Token: SeIncBasePriorityPrivilege 5812 symlsrc.exe Token: SeIncBasePriorityPrivilege 6048 symlsrc.exe Token: SeIncBasePriorityPrivilege 5192 symlsrc.exe Token: SeIncBasePriorityPrivilege 5772 symlsrc.exe Token: SeIncBasePriorityPrivilege 4336 symlsrc.exe Token: SeIncBasePriorityPrivilege 5836 symlsrc.exe Token: SeIncBasePriorityPrivilege 5784 symlsrc.exe Token: SeIncBasePriorityPrivilege 5736 symlsrc.exe Token: SeIncBasePriorityPrivilege 6428 symlsrc.exe Token: SeIncBasePriorityPrivilege 6636 symlsrc.exe Token: SeIncBasePriorityPrivilege 6880 symlsrc.exe Token: SeIncBasePriorityPrivilege 7144 symlsrc.exe Token: SeIncBasePriorityPrivilege 6448 symlsrc.exe Token: SeIncBasePriorityPrivilege 6892 symlsrc.exe Token: SeIncBasePriorityPrivilege 6196 symlsrc.exe Token: SeIncBasePriorityPrivilege 7032 symlsrc.exe Token: SeIncBasePriorityPrivilege 7016 symlsrc.exe Token: SeIncBasePriorityPrivilege 5876 symlsrc.exe Token: SeIncBasePriorityPrivilege 7468 symlsrc.exe Token: SeIncBasePriorityPrivilege 7720 symlsrc.exe Token: SeIncBasePriorityPrivilege 7948 symlsrc.exe Token: SeIncBasePriorityPrivilege 7204 symlsrc.exe Token: SeIncBasePriorityPrivilege 7496 symlsrc.exe Token: SeIncBasePriorityPrivilege 7820 symlsrc.exe Token: SeIncBasePriorityPrivilege 7408 symlsrc.exe Token: SeIncBasePriorityPrivilege 7816 symlsrc.exe Token: SeIncBasePriorityPrivilege 8068 symlsrc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2404 2244 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 28 PID 2244 wrote to memory of 2404 2244 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 28 PID 2244 wrote to memory of 2404 2244 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 28 PID 2244 wrote to memory of 2404 2244 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 28 PID 2244 wrote to memory of 2404 2244 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 28 PID 2244 wrote to memory of 2404 2244 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 28 PID 2244 wrote to memory of 2404 2244 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 28 PID 2244 wrote to memory of 2404 2244 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 28 PID 2244 wrote to memory of 2404 2244 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 28 PID 2244 wrote to memory of 2404 2244 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 28 PID 2404 wrote to memory of 2808 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 29 PID 2404 wrote to memory of 2808 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 29 PID 2404 wrote to memory of 2808 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 29 PID 2404 wrote to memory of 2808 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 29 PID 2404 wrote to memory of 2676 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2676 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2676 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2676 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2820 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 31 PID 2404 wrote to memory of 2820 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 31 PID 2404 wrote to memory of 2820 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 31 PID 2404 wrote to memory of 2820 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 31 PID 2404 wrote to memory of 2684 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 32 PID 2404 wrote to memory of 2684 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 32 PID 2404 wrote to memory of 2684 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 32 PID 2404 wrote to memory of 2684 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 32 PID 2404 wrote to memory of 2872 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 33 PID 2404 wrote to memory of 2872 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 33 PID 2404 wrote to memory of 2872 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 33 PID 2404 wrote to memory of 2872 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 33 PID 2808 wrote to memory of 2988 2808 symlsrc.exe 35 PID 2808 wrote to memory of 2988 2808 symlsrc.exe 35 PID 2808 wrote to memory of 2988 2808 symlsrc.exe 35 PID 2808 wrote to memory of 2988 2808 symlsrc.exe 35 PID 2808 wrote to memory of 2988 2808 symlsrc.exe 35 PID 2808 wrote to memory of 2988 2808 symlsrc.exe 35 PID 2808 wrote to memory of 2988 2808 symlsrc.exe 35 PID 2808 wrote to memory of 2988 2808 symlsrc.exe 35 PID 2808 wrote to memory of 2988 2808 symlsrc.exe 35 PID 2808 wrote to memory of 2988 2808 symlsrc.exe 35 PID 2404 wrote to memory of 2604 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 38 PID 2404 wrote to memory of 2604 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 38 PID 2404 wrote to memory of 2604 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 38 PID 2404 wrote to memory of 2604 2404 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 38 PID 2988 wrote to memory of 1732 2988 symlsrc.exe 41 PID 2988 wrote to memory of 1732 2988 symlsrc.exe 41 PID 2988 wrote to memory of 1732 2988 symlsrc.exe 41 PID 2988 wrote to memory of 1732 2988 symlsrc.exe 41 PID 2988 wrote to memory of 820 2988 symlsrc.exe 42 PID 2988 wrote to memory of 820 2988 symlsrc.exe 42 PID 2988 wrote to memory of 820 2988 symlsrc.exe 42 PID 2988 wrote to memory of 820 2988 symlsrc.exe 42 PID 2988 wrote to memory of 2932 2988 symlsrc.exe 43 PID 2988 wrote to memory of 2932 2988 symlsrc.exe 43 PID 2988 wrote to memory of 2932 2988 symlsrc.exe 43 PID 2988 wrote to memory of 2932 2988 symlsrc.exe 43 PID 2988 wrote to memory of 2936 2988 symlsrc.exe 45 PID 2988 wrote to memory of 2936 2988 symlsrc.exe 45 PID 2988 wrote to memory of 2936 2988 symlsrc.exe 45 PID 2988 wrote to memory of 2936 2988 symlsrc.exe 45 PID 2988 wrote to memory of 2968 2988 symlsrc.exe 46 PID 2988 wrote to memory of 2968 2988 symlsrc.exe 46 PID 2988 wrote to memory of 2968 2988 symlsrc.exe 46 PID 2988 wrote to memory of 2968 2988 symlsrc.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"2⤵
- Drops file in Drivers directory
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"4⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1732 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1584 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:784 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:592 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"10⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1920 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"12⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:972 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2448 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"14⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2680 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"16⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2364 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"18⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1940 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"20⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2916 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"22⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1184 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"24⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2912 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"26⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1296 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"28⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1164 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"30⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1296 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3136 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"32⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3284 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3388 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"34⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3528 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3624 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"36⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3760 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3876 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"38⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4004 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1164 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"40⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3212 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3456 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"42⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3580 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3868 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"44⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3352 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"46⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3772 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3868 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"48⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3336 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3860 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"50⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3136 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4172 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"52⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4312 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4440 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"54⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4684 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"56⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4804 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4908 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"58⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5040 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4100 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"60⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4196 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4484 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"62⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4728 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4892 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"64⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3796 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4372 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"66⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"67⤵
- Suspicious use of SetThreadContext
PID:4076 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"68⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4604 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"69⤵
- Suspicious use of SetThreadContext
PID:4756 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"70⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4392 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"71⤵
- Suspicious use of SetThreadContext
PID:5188 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"72⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5324 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"73⤵
- Suspicious use of SetThreadContext
PID:5412 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"74⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5552 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"75⤵
- Suspicious use of SetThreadContext
PID:5676 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"76⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5812 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"77⤵
- Suspicious use of SetThreadContext
PID:5916 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"78⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:6048 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"79⤵
- Suspicious use of SetThreadContext
PID:4604 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"80⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5192 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"81⤵
- Suspicious use of SetThreadContext
PID:5520 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"82⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5772 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"83⤵
- Suspicious use of SetThreadContext
PID:5896 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"84⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4336 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"85⤵
- Suspicious use of SetThreadContext
PID:5360 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"86⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
PID:5836 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"87⤵
- Suspicious use of SetThreadContext
PID:4856 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"88⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5784 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"89⤵
- Suspicious use of SetThreadContext
PID:6140 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"90⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5736 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"91⤵
- Suspicious use of SetThreadContext
PID:6304 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"92⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:6428 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"93⤵
- Suspicious use of SetThreadContext
PID:6544 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"94⤵
- Suspicious use of AdjustPrivilegeToken
PID:6636 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"95⤵
- Suspicious use of SetThreadContext
PID:6776 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"96⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
PID:6880 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"97⤵
- Suspicious use of SetThreadContext
PID:7024 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"98⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:7144 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"99⤵
- Suspicious use of SetThreadContext
PID:6032 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"100⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:6448 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"101⤵
- Suspicious use of SetThreadContext
PID:6612 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"102⤵
- Disables RegEdit via registry modification
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:6892 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"103⤵
- Suspicious use of SetThreadContext
PID:6988 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"104⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:6196 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"105⤵
- Suspicious use of SetThreadContext
PID:6524 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"106⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:7032 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"107⤵
- Suspicious use of SetThreadContext
PID:6168 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"108⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
PID:7016 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"109⤵
- Suspicious use of SetThreadContext
PID:6772 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"110⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
PID:5876 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"111⤵
- Suspicious use of SetThreadContext
PID:7340 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"112⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:7468 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"113⤵
- Suspicious use of SetThreadContext
PID:7576 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"114⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:7720 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"115⤵
- Suspicious use of SetThreadContext
PID:7820 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"116⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:7948 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"117⤵
- Suspicious use of SetThreadContext
PID:8060 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"118⤵
- Disables RegEdit via registry modification
- Suspicious use of AdjustPrivilegeToken
PID:7204 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"119⤵
- Suspicious use of SetThreadContext
PID:7188 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"120⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:7496 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"121⤵
- Suspicious use of SetThreadContext
PID:7736 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"122⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:7820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-