Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 20:09
Static task
static1
Behavioral task
behavioral1
Sample
1347a5850958dce87216411605fc6943_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1347a5850958dce87216411605fc6943_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1347a5850958dce87216411605fc6943_JaffaCakes118.exe
-
Size
62KB
-
MD5
1347a5850958dce87216411605fc6943
-
SHA1
4ffea76d2e204520411667bd6ef0f62b0ba4c807
-
SHA256
c107d769c98d35f4066a02fb7bd36fb7397f85f6f09f76add54a97dfa883f11c
-
SHA512
632b863daa9d3e2bc874a59d54310f51d8f592c5862dbf6297cd208f416bd89403f582ede680678eb18d1711f107b475efcdc7cd76884f1123577dc53063458c
-
SSDEEP
768:TEmqHyjzWTadaJcCi1WzCfoVPelpUqzj2eWrnJxTUJLdIBDYQQzURIKR6Lr8W/2W:TMIUJcljoViSDrzTUJpItzMURiLwqTh5
Malware Config
Signatures
-
Disables RegEdit via registry modification 53 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" symlsrc.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 53 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 1347a5850958dce87216411605fc6943_JaffaCakes118.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts symlsrc.exe -
Checks computer location settings 2 TTPs 53 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation symlsrc.exe -
Executes dropped EXE 64 IoCs
pid Process 3332 symlsrc.exe 4740 symlsrc.exe 4884 symlsrc.exe 3888 symlsrc.exe 2644 symlsrc.exe 528 symlsrc.exe 1952 symlsrc.exe 3764 symlsrc.exe 2800 symlsrc.exe 1184 symlsrc.exe 5020 symlsrc.exe 3976 symlsrc.exe 1416 symlsrc.exe 500 symlsrc.exe 1976 symlsrc.exe 4748 symlsrc.exe 3820 symlsrc.exe 3132 symlsrc.exe 3296 symlsrc.exe 5192 symlsrc.exe 5404 symlsrc.exe 5564 symlsrc.exe 5736 symlsrc.exe 5928 symlsrc.exe 6088 symlsrc.exe 5332 symlsrc.exe 5792 symlsrc.exe 5932 symlsrc.exe 4188 symlsrc.exe 6192 symlsrc.exe 6412 symlsrc.exe 6536 symlsrc.exe 6784 symlsrc.exe 6984 symlsrc.exe 7124 symlsrc.exe 6308 symlsrc.exe 6648 symlsrc.exe 6352 symlsrc.exe 6648 symlsrc.exe 7312 symlsrc.exe 7480 symlsrc.exe 7668 symlsrc.exe 7804 symlsrc.exe 7964 symlsrc.exe 8120 symlsrc.exe 7524 symlsrc.exe 7704 symlsrc.exe 6416 symlsrc.exe 7696 symlsrc.exe 8376 symlsrc.exe 8500 symlsrc.exe 8660 symlsrc.exe 8824 symlsrc.exe 8996 symlsrc.exe 9152 symlsrc.exe 8216 symlsrc.exe 8688 symlsrc.exe 9120 symlsrc.exe 8872 symlsrc.exe 7316 symlsrc.exe 9352 symlsrc.exe 9536 symlsrc.exe 9676 symlsrc.exe 9864 symlsrc.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager 1347a5850958dce87216411605fc6943_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" symlsrc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe 1347a5850958dce87216411605fc6943_JaffaCakes118.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File created C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe File opened for modification C:\Windows\SysWOW64\symlsrc.exe symlsrc.exe -
Suspicious use of SetThreadContext 54 IoCs
description pid Process procid_target PID 760 set thread context of 2304 760 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 81 PID 3332 set thread context of 4740 3332 symlsrc.exe 92 PID 4884 set thread context of 3888 4884 symlsrc.exe 104 PID 2644 set thread context of 528 2644 symlsrc.exe 116 PID 1952 set thread context of 3764 1952 symlsrc.exe 128 PID 2800 set thread context of 1184 2800 symlsrc.exe 140 PID 5020 set thread context of 3976 5020 symlsrc.exe 152 PID 1416 set thread context of 500 1416 symlsrc.exe 164 PID 1976 set thread context of 4748 1976 symlsrc.exe 176 PID 3820 set thread context of 3132 3820 symlsrc.exe 188 PID 3296 set thread context of 5192 3296 symlsrc.exe 200 PID 5404 set thread context of 5564 5404 symlsrc.exe 212 PID 5736 set thread context of 5928 5736 symlsrc.exe 224 PID 6088 set thread context of 5332 6088 symlsrc.exe 236 PID 5792 set thread context of 5932 5792 symlsrc.exe 248 PID 4188 set thread context of 6192 4188 symlsrc.exe 257 PID 6412 set thread context of 6536 6412 symlsrc.exe 272 PID 6784 set thread context of 6984 6784 symlsrc.exe 284 PID 7124 set thread context of 6308 7124 symlsrc.exe 296 PID 6648 set thread context of 6352 6648 symlsrc.exe 308 PID 6648 set thread context of 7312 6648 symlsrc.exe 320 PID 7480 set thread context of 7668 7480 symlsrc.exe 332 PID 7804 set thread context of 7964 7804 symlsrc.exe 344 PID 8120 set thread context of 7524 8120 symlsrc.exe 356 PID 7704 set thread context of 6416 7704 symlsrc.exe 368 PID 7696 set thread context of 8376 7696 symlsrc.exe 380 PID 8500 set thread context of 8660 8500 symlsrc.exe 392 PID 8824 set thread context of 8996 8824 symlsrc.exe 404 PID 9152 set thread context of 8216 9152 symlsrc.exe 416 PID 8688 set thread context of 9120 8688 symlsrc.exe 428 PID 8872 set thread context of 7316 8872 symlsrc.exe 440 PID 9352 set thread context of 9536 9352 symlsrc.exe 452 PID 9676 set thread context of 9864 9676 symlsrc.exe 464 PID 10004 set thread context of 10188 10004 symlsrc.exe 476 PID 9284 set thread context of 9896 9284 symlsrc.exe 488 PID 10016 set thread context of 9444 10016 symlsrc.exe 500 PID 10360 set thread context of 10512 10360 symlsrc.exe 512 PID 10684 set thread context of 10868 10684 symlsrc.exe 524 PID 11008 set thread context of 11112 11008 symlsrc.exe 536 PID 10292 set thread context of 10892 10292 symlsrc.exe 548 PID 11132 set thread context of 11184 11132 symlsrc.exe 560 PID 11340 set thread context of 11524 11340 symlsrc.exe 572 PID 11668 set thread context of 11796 11668 symlsrc.exe 584 PID 11992 set thread context of 12168 11992 symlsrc.exe 596 PID 10960 set thread context of 11672 10960 symlsrc.exe 608 PID 10360 set thread context of 11344 10360 symlsrc.exe 672 PID 12408 set thread context of 12520 12408 symlsrc.exe 632 PID 12736 set thread context of 12904 12736 symlsrc.exe 644 PID 13060 set thread context of 13188 13060 symlsrc.exe 656 PID 12308 set thread context of 12752 12308 symlsrc.exe 668 PID 11344 set thread context of 13448 11344 symlsrc.exe 682 PID 13592 set thread context of 13776 13592 symlsrc.exe 694 PID 13900 set thread context of 13980 13900 symlsrc.exe 698 PID 14092 set thread context of 14176 14092 symlsrc.exe 707 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 53 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ symlsrc.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4740 symlsrc.exe Token: SeIncBasePriorityPrivilege 3888 symlsrc.exe Token: SeIncBasePriorityPrivilege 528 symlsrc.exe Token: SeIncBasePriorityPrivilege 3764 symlsrc.exe Token: SeIncBasePriorityPrivilege 1184 symlsrc.exe Token: SeIncBasePriorityPrivilege 3976 symlsrc.exe Token: SeIncBasePriorityPrivilege 500 symlsrc.exe Token: SeIncBasePriorityPrivilege 4748 symlsrc.exe Token: SeIncBasePriorityPrivilege 3132 symlsrc.exe Token: SeIncBasePriorityPrivilege 5192 symlsrc.exe Token: SeIncBasePriorityPrivilege 5564 symlsrc.exe Token: SeIncBasePriorityPrivilege 5928 symlsrc.exe Token: SeIncBasePriorityPrivilege 5332 symlsrc.exe Token: SeIncBasePriorityPrivilege 5932 symlsrc.exe Token: SeIncBasePriorityPrivilege 6192 symlsrc.exe Token: SeIncBasePriorityPrivilege 6536 symlsrc.exe Token: SeIncBasePriorityPrivilege 6984 symlsrc.exe Token: SeIncBasePriorityPrivilege 6308 symlsrc.exe Token: SeIncBasePriorityPrivilege 6352 symlsrc.exe Token: SeIncBasePriorityPrivilege 7312 symlsrc.exe Token: SeIncBasePriorityPrivilege 7668 symlsrc.exe Token: SeIncBasePriorityPrivilege 7964 symlsrc.exe Token: SeIncBasePriorityPrivilege 7524 symlsrc.exe Token: SeIncBasePriorityPrivilege 6416 symlsrc.exe Token: SeIncBasePriorityPrivilege 8376 symlsrc.exe Token: SeIncBasePriorityPrivilege 8660 symlsrc.exe Token: SeIncBasePriorityPrivilege 8996 symlsrc.exe Token: SeIncBasePriorityPrivilege 8216 symlsrc.exe Token: SeIncBasePriorityPrivilege 9120 symlsrc.exe Token: SeIncBasePriorityPrivilege 7316 symlsrc.exe Token: SeIncBasePriorityPrivilege 9536 symlsrc.exe Token: SeIncBasePriorityPrivilege 9864 symlsrc.exe Token: SeIncBasePriorityPrivilege 10188 symlsrc.exe Token: SeIncBasePriorityPrivilege 9896 symlsrc.exe Token: SeIncBasePriorityPrivilege 9444 symlsrc.exe Token: SeIncBasePriorityPrivilege 10512 symlsrc.exe Token: SeIncBasePriorityPrivilege 10868 symlsrc.exe Token: SeIncBasePriorityPrivilege 11112 symlsrc.exe Token: SeIncBasePriorityPrivilege 10892 symlsrc.exe Token: SeIncBasePriorityPrivilege 11184 symlsrc.exe Token: SeIncBasePriorityPrivilege 11524 symlsrc.exe Token: SeIncBasePriorityPrivilege 11796 symlsrc.exe Token: SeIncBasePriorityPrivilege 12168 symlsrc.exe Token: SeIncBasePriorityPrivilege 11672 symlsrc.exe Token: SeIncBasePriorityPrivilege 11344 symlsrc.exe Token: SeIncBasePriorityPrivilege 12520 symlsrc.exe Token: SeIncBasePriorityPrivilege 12904 symlsrc.exe Token: SeIncBasePriorityPrivilege 13188 symlsrc.exe Token: SeIncBasePriorityPrivilege 12752 symlsrc.exe Token: SeIncBasePriorityPrivilege 13448 symlsrc.exe Token: SeIncBasePriorityPrivilege 13776 symlsrc.exe Token: SeIncBasePriorityPrivilege 13980 symlsrc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 760 wrote to memory of 2304 760 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 81 PID 760 wrote to memory of 2304 760 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 81 PID 760 wrote to memory of 2304 760 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 81 PID 760 wrote to memory of 2304 760 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 81 PID 760 wrote to memory of 2304 760 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 81 PID 760 wrote to memory of 2304 760 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 81 PID 760 wrote to memory of 2304 760 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 81 PID 760 wrote to memory of 2304 760 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 81 PID 760 wrote to memory of 2304 760 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 81 PID 2304 wrote to memory of 3332 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 82 PID 2304 wrote to memory of 3332 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 82 PID 2304 wrote to memory of 3332 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 82 PID 2304 wrote to memory of 1564 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 83 PID 2304 wrote to memory of 1564 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 83 PID 2304 wrote to memory of 1564 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 83 PID 2304 wrote to memory of 464 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 84 PID 2304 wrote to memory of 464 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 84 PID 2304 wrote to memory of 464 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 84 PID 2304 wrote to memory of 4928 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 85 PID 2304 wrote to memory of 4928 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 85 PID 2304 wrote to memory of 4928 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 85 PID 2304 wrote to memory of 2916 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 86 PID 2304 wrote to memory of 2916 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 86 PID 2304 wrote to memory of 2916 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 86 PID 2304 wrote to memory of 1964 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 89 PID 2304 wrote to memory of 1964 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 89 PID 2304 wrote to memory of 1964 2304 1347a5850958dce87216411605fc6943_JaffaCakes118.exe 89 PID 3332 wrote to memory of 4740 3332 symlsrc.exe 92 PID 3332 wrote to memory of 4740 3332 symlsrc.exe 92 PID 3332 wrote to memory of 4740 3332 symlsrc.exe 92 PID 3332 wrote to memory of 4740 3332 symlsrc.exe 92 PID 3332 wrote to memory of 4740 3332 symlsrc.exe 92 PID 3332 wrote to memory of 4740 3332 symlsrc.exe 92 PID 3332 wrote to memory of 4740 3332 symlsrc.exe 92 PID 3332 wrote to memory of 4740 3332 symlsrc.exe 92 PID 3332 wrote to memory of 4740 3332 symlsrc.exe 92 PID 4740 wrote to memory of 4884 4740 symlsrc.exe 94 PID 4740 wrote to memory of 4884 4740 symlsrc.exe 94 PID 4740 wrote to memory of 4884 4740 symlsrc.exe 94 PID 4740 wrote to memory of 532 4740 symlsrc.exe 95 PID 4740 wrote to memory of 532 4740 symlsrc.exe 95 PID 4740 wrote to memory of 532 4740 symlsrc.exe 95 PID 4740 wrote to memory of 576 4740 symlsrc.exe 96 PID 4740 wrote to memory of 576 4740 symlsrc.exe 96 PID 4740 wrote to memory of 576 4740 symlsrc.exe 96 PID 4740 wrote to memory of 1080 4740 symlsrc.exe 97 PID 4740 wrote to memory of 1080 4740 symlsrc.exe 97 PID 4740 wrote to memory of 1080 4740 symlsrc.exe 97 PID 4740 wrote to memory of 3256 4740 symlsrc.exe 98 PID 4740 wrote to memory of 3256 4740 symlsrc.exe 98 PID 4740 wrote to memory of 3256 4740 symlsrc.exe 98 PID 4740 wrote to memory of 1760 4740 symlsrc.exe 100 PID 4740 wrote to memory of 1760 4740 symlsrc.exe 100 PID 4740 wrote to memory of 1760 4740 symlsrc.exe 100 PID 4884 wrote to memory of 3888 4884 symlsrc.exe 104 PID 4884 wrote to memory of 3888 4884 symlsrc.exe 104 PID 4884 wrote to memory of 3888 4884 symlsrc.exe 104 PID 4884 wrote to memory of 3888 4884 symlsrc.exe 104 PID 4884 wrote to memory of 3888 4884 symlsrc.exe 104 PID 4884 wrote to memory of 3888 4884 symlsrc.exe 104 PID 4884 wrote to memory of 3888 4884 symlsrc.exe 104 PID 4884 wrote to memory of 3888 4884 symlsrc.exe 104 PID 4884 wrote to memory of 3888 4884 symlsrc.exe 104 PID 3888 wrote to memory of 2644 3888 symlsrc.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"2⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"4⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"6⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2644 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"8⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:528 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1952 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"10⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3764 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2800 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"12⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1184 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5020 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"14⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3976 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1416 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"16⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:500 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1976 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"18⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3820 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"20⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3132 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3296 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"22⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5192 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5404 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"24⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5564 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5736 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"26⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5928 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6088 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"28⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5332 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5792 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"30⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5932 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4188 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"32⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6192 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6412 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"34⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6536 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6784 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"36⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6984 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7124 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"38⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6308 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6648 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"40⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6352 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6648 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"42⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:7312 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7480 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"44⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:7668 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7804 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"46⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:7964 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:8120 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"48⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:7524 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7704 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"50⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6416 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7696 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"52⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:8376 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:8500 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"54⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:8660 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:8824 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"56⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:8996 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:9152 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"58⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:8216 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:8688 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"60⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:9120 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:8872 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"62⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:7316 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:9352 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"64⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:9536 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:9676 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"66⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:9864 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"67⤵
- Suspicious use of SetThreadContext
PID:10004 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"68⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:10188 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"69⤵
- Suspicious use of SetThreadContext
PID:9284 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"70⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:9896 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"71⤵
- Suspicious use of SetThreadContext
PID:10016 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"72⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:9444 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"73⤵
- Suspicious use of SetThreadContext
PID:10360 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"74⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:10512 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"75⤵
- Suspicious use of SetThreadContext
PID:10684 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"76⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:10868 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"77⤵
- Suspicious use of SetThreadContext
PID:11008 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"78⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:11112 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"79⤵
- Suspicious use of SetThreadContext
PID:10292 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"80⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:10892 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"81⤵
- Suspicious use of SetThreadContext
PID:11132 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"82⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:11184 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"83⤵
- Suspicious use of SetThreadContext
PID:11340 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"84⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:11524 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"85⤵
- Suspicious use of SetThreadContext
PID:11668 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"86⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:11796 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"87⤵
- Suspicious use of SetThreadContext
PID:11992 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"88⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:12168 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"89⤵
- Suspicious use of SetThreadContext
PID:10960 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"90⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:11672 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"91⤵
- Suspicious use of SetThreadContext
PID:10360 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"92⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:11344 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"93⤵
- Suspicious use of SetThreadContext
PID:12408 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"94⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:12520 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"95⤵
- Suspicious use of SetThreadContext
PID:12736 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"96⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:12904 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"97⤵
- Suspicious use of SetThreadContext
PID:13060 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"98⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:13188 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"99⤵
- Suspicious use of SetThreadContext
PID:12308 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"100⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:12752 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"101⤵
- Suspicious use of SetThreadContext
PID:11344 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"102⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:13448 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"103⤵
- Suspicious use of SetThreadContext
PID:13592 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"104⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:13776 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"105⤵
- Suspicious use of SetThreadContext
PID:13900 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"106⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:13980 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\system32\symlsrc.exe"107⤵
- Suspicious use of SetThreadContext
PID:14092 -
C:\Windows\SysWOW64\symlsrc.exe"C:\Windows\SysWOW64\symlsrc.exe"108⤵PID:14176
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip107⤵PID:14108
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com107⤵PID:14120
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"107⤵PID:14128
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"107⤵PID:14136
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul105⤵PID:13964
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip103⤵PID:13608
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com103⤵PID:13616
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"103⤵PID:13624
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"103⤵PID:13632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul103⤵PID:13684
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip101⤵PID:12736
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com101⤵PID:1204
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"101⤵PID:4448
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"101⤵PID:3548
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul101⤵PID:13352
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip99⤵PID:12484
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com99⤵PID:12512
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"99⤵PID:12456
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"99⤵PID:12576
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul99⤵PID:12704
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip97⤵PID:13072
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com97⤵PID:13080
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"97⤵PID:13088
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"97⤵PID:13096
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul97⤵PID:13120
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip95⤵PID:12756
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com95⤵PID:12764
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"95⤵PID:12772
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"95⤵PID:12780
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul95⤵PID:12828
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip93⤵PID:12424
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com93⤵PID:12432
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"93⤵PID:12440
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"93⤵PID:12460
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul93⤵PID:12476
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip91⤵PID:11536
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com91⤵PID:11348
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"91⤵PID:12228
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"91⤵PID:12264
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul91⤵PID:11676
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip89⤵PID:11108
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com89⤵PID:11424
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"89⤵PID:11404
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"89⤵PID:11436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV190⤵PID:11340
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul89⤵PID:11560
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip87⤵PID:12008
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com87⤵PID:12016
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"87⤵PID:12024
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"87⤵PID:12032
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul87⤵PID:12080
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip85⤵PID:11684
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com85⤵PID:11692
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"85⤵PID:11700
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"85⤵PID:11708
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul85⤵PID:11748
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip83⤵PID:11352
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com83⤵PID:11360
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"83⤵PID:11368
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"83⤵PID:11376
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul83⤵PID:11392
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip81⤵PID:10244
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com81⤵PID:10324
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"81⤵PID:11212
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"81⤵PID:10192
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul81⤵PID:11148
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip79⤵PID:10332
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com79⤵PID:10256
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"79⤵PID:9580
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"79⤵PID:10428
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul79⤵PID:10528
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip77⤵PID:11024
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com77⤵PID:11032
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"77⤵PID:11040
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"77⤵PID:11048
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul77⤵PID:11096
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV178⤵PID:10016
-
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip75⤵PID:10696
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com75⤵PID:10704
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"75⤵PID:10712
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"75⤵PID:10720
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul75⤵PID:10736
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip73⤵PID:10376
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com73⤵PID:10384
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"73⤵PID:10392
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"73⤵PID:10400
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul73⤵PID:10448
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip71⤵PID:1180
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com71⤵PID:9232
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"71⤵PID:8504
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"71⤵PID:8756
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul71⤵PID:9264
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip69⤵PID:9412
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com69⤵PID:9432
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"69⤵PID:9420
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"69⤵PID:9544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV170⤵PID:9352
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul69⤵PID:9636
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip67⤵PID:10020
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com67⤵PID:10028
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"67⤵PID:10036
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"67⤵PID:10044
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul67⤵PID:10060
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip65⤵PID:9688
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com65⤵PID:9696
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"65⤵PID:9704
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"65⤵PID:9712
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul65⤵PID:9728
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip63⤵PID:9364
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com63⤵PID:9372
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"63⤵PID:9380
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"63⤵PID:9388
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul63⤵PID:9404
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip61⤵PID:8448
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com61⤵PID:8592
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"61⤵PID:8684
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"61⤵PID:3796
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul61⤵PID:9084
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip59⤵PID:8524
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com59⤵PID:8724
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"59⤵PID:4552
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"59⤵PID:8788
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul59⤵PID:8744
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip57⤵PID:9164
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com57⤵PID:9172
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"57⤵PID:9180
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"57⤵PID:9188
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul57⤵PID:9204
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip55⤵PID:8836
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com55⤵PID:8844
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"55⤵PID:8852
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"55⤵PID:8860
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul55⤵PID:8880
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip53⤵PID:8516
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com53⤵PID:8528
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"53⤵PID:8536
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"53⤵PID:8544
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul53⤵PID:8580
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip51⤵PID:7980
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com51⤵PID:7716
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"51⤵PID:8196
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"51⤵PID:8204
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul51⤵PID:8236
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip49⤵PID:7812
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com49⤵PID:7872
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"49⤵PID:7888
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"49⤵PID:7896
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul49⤵PID:7816
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip47⤵PID:8136
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com47⤵PID:8144
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"47⤵PID:8152
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"47⤵PID:8160
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul47⤵PID:7208
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip45⤵PID:7820
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com45⤵PID:7828
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"45⤵PID:7836
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"45⤵PID:7844
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul45⤵PID:7860
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip43⤵PID:7492
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com43⤵PID:7500
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"43⤵PID:7508
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"43⤵PID:7516
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul43⤵PID:7532
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip41⤵PID:7176
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com41⤵PID:7184
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"41⤵PID:7192
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"41⤵PID:7200
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul41⤵PID:7224
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip39⤵PID:6852
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com39⤵PID:6868
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"39⤵PID:6892
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"39⤵PID:6884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV140⤵PID:6784
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul39⤵PID:7028
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip37⤵PID:7140
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com37⤵PID:7148
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"37⤵PID:7156
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"37⤵PID:7164
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul37⤵PID:5416
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV138⤵PID:6412
-
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip35⤵PID:6808
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com35⤵PID:6816
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"35⤵PID:6824
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"35⤵PID:6832
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul35⤵PID:6872
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip33⤵PID:6432
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com33⤵PID:6448
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"33⤵PID:6468
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"33⤵PID:6476
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul33⤵PID:6504
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip31⤵PID:5644
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com31⤵PID:5260
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"31⤵PID:5128
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"31⤵PID:6156
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul31⤵PID:6168
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip29⤵PID:5568
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com29⤵PID:5804
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"29⤵PID:5836
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"29⤵PID:5828
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul29⤵PID:5952
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip27⤵PID:6112
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com27⤵PID:6120
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"27⤵PID:6128
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"27⤵PID:6136
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul27⤵PID:1256
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip25⤵PID:5760
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com25⤵PID:5768
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"25⤵PID:5776
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"25⤵PID:5784
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul25⤵PID:5816
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip23⤵PID:5428
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com23⤵PID:5436
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"23⤵PID:5444
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"23⤵PID:5452
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul23⤵PID:5484
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip21⤵PID:1276
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com21⤵PID:1328
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"21⤵PID:2096
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"21⤵PID:3408
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul21⤵PID:5132
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip19⤵PID:4776
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com19⤵PID:3356
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"19⤵PID:4520
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"19⤵PID:184
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul19⤵PID:4192
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip17⤵PID:4720
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com17⤵PID:3900
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"17⤵PID:3752
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"17⤵PID:1952
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul17⤵PID:4372
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip15⤵PID:3236
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com15⤵PID:3816
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"15⤵PID:4136
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"15⤵PID:2384
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul15⤵PID:3572
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip13⤵PID:3744
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com13⤵PID:4528
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"13⤵PID:980
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"13⤵PID:244
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul13⤵PID:4996
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip11⤵PID:2360
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com11⤵PID:656
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"11⤵PID:1032
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"11⤵PID:2676
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul11⤵PID:3268
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip9⤵PID:400
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com9⤵PID:3724
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"9⤵PID:1116
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"9⤵PID:880
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul9⤵PID:1320
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip7⤵PID:4456
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com7⤵PID:4180
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"7⤵PID:808
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"7⤵PID:4816
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul7⤵PID:3808
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip5⤵PID:532
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com5⤵PID:576
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"5⤵PID:1080
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"5⤵PID:3256
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul5⤵PID:1760
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵PID:1564
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵PID:464
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵PID:4928
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵PID:2916
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1347A5~1.EXE > nul3⤵PID:1964
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD51347a5850958dce87216411605fc6943
SHA14ffea76d2e204520411667bd6ef0f62b0ba4c807
SHA256c107d769c98d35f4066a02fb7bd36fb7397f85f6f09f76add54a97dfa883f11c
SHA512632b863daa9d3e2bc874a59d54310f51d8f592c5862dbf6297cd208f416bd89403f582ede680678eb18d1711f107b475efcdc7cd76884f1123577dc53063458c
-
Filesize
8KB
MD5a7301e28065d05b884ca76c1bb28f716
SHA1d95ffd2c1a3d01d016c6c344e025e206a254af23
SHA256b61f5f810df3304ce4c0c9cd73f5a55e5815f94cd968a398542cd5de0b626e55
SHA512db570978b7264e12648c39c853f6e3697692a7175edcb27f5b268492fb0c0d31b04f4dfa40bc4373e9cddb4d7e771d15512c13f7bf17c91843562c0de71d2d07