Malware Analysis Report

2025-03-15 00:54

Sample ID 240626-yxhf6stfkr
Target 1347a5850958dce87216411605fc6943_JaffaCakes118
SHA256 c107d769c98d35f4066a02fb7bd36fb7397f85f6f09f76add54a97dfa883f11c
Tags
defense_evasion evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c107d769c98d35f4066a02fb7bd36fb7397f85f6f09f76add54a97dfa883f11c

Threat Level: Likely malicious

The file 1347a5850958dce87216411605fc6943_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion evasion persistence

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Disables use of System Restore points

Drops file in Drivers directory

Executes dropped EXE

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 20:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 20:09

Reported

2024-06-26 20:12

Platform

win7-20240611-en

Max time kernel

21s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2244 set thread context of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 2808 set thread context of 2988 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 1732 set thread context of 1896 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 1584 set thread context of 784 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 592 set thread context of 2328 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 1920 set thread context of 972 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2448 set thread context of 2704 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2680 set thread context of 2768 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2364 set thread context of 1236 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 1940 set thread context of 1744 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2916 set thread context of 2680 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 1184 set thread context of 1544 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2912 set thread context of 1960 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 1296 set thread context of 2888 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 1164 set thread context of 1296 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3136 set thread context of 3284 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3388 set thread context of 3528 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3624 set thread context of 3760 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3876 set thread context of 4004 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 1164 set thread context of 3212 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3456 set thread context of 3580 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3868 set thread context of 2912 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3352 set thread context of 3772 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3868 set thread context of 3336 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3860 set thread context of 3136 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4172 set thread context of 4312 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4440 set thread context of 4596 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4684 set thread context of 4804 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4908 set thread context of 5040 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4100 set thread context of 4196 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4484 set thread context of 4728 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4892 set thread context of 3796 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4372 set thread context of 4748 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4076 set thread context of 4604 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\system32\conhost.exe
PID 4756 set thread context of 4392 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 5188 set thread context of 5324 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 5412 set thread context of 5552 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 5676 set thread context of 5812 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 5916 set thread context of 6048 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4604 set thread context of 5192 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 5520 set thread context of 5772 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 5896 set thread context of 4336 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 5360 set thread context of 5836 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4856 set thread context of 5784 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 6140 set thread context of 5736 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6304 set thread context of 6428 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6544 set thread context of 6636 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6776 set thread context of 6880 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 7024 set thread context of 7144 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6032 set thread context of 6448 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6612 set thread context of 6892 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6988 set thread context of 6196 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6524 set thread context of 7032 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6168 set thread context of 7016 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6772 set thread context of 5876 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\cmd.exe
PID 7340 set thread context of 7468 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 7576 set thread context of 7720 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 7820 set thread context of 7948 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 8060 set thread context of 7204 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 7188 set thread context of 7496 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 7736 set thread context of 7820 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 8148 set thread context of 7408 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 7796 set thread context of 7816 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 7536 set thread context of 8068 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 2404 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2404 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2404 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2404 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2404 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2404 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2808 wrote to memory of 2988 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2808 wrote to memory of 2988 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2808 wrote to memory of 2988 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2808 wrote to memory of 2988 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2808 wrote to memory of 2988 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2808 wrote to memory of 2988 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2808 wrote to memory of 2988 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2808 wrote to memory of 2988 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2808 wrote to memory of 2988 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2808 wrote to memory of 2988 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2404 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1732 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2988 wrote to memory of 1732 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2988 wrote to memory of 1732 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2988 wrote to memory of 1732 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2988 wrote to memory of 820 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 820 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 820 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 820 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 2932 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 2932 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 2932 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 2932 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 2936 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 2936 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 2936 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 2936 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 2968 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 2968 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 2968 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 2988 wrote to memory of 2968 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1347A5~1.EXE > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1150393511-554412064-1754477870-1669606289-1711450790-1218387618359227741-980324286"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "748726632-449113513-814932547315680756-16549810541147527141349420149944424121"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "145391227-73071757519730414901689823249-1863331589-109193335316003972742072699553"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13418543061277710559-187357370520007044861186518348-1112871455-11293975481419757757"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-56536970-292172635116117433919840006551961525236-622944347-1038351177-1718918506"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1989392490-748236503-1591877268-19989106671128731473-1679867071-484310298-1909524131"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "776648800-716194468-3284938786767235421969989341273316111392183691929489184"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2081177438-2088975049-168630120019165785031965629638218900077-1350207022-80201675"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1847641513470533118682759011-649377651213246722-536043985-893320066-2032431844"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "96721988488598294516485507-3004818171021166049637433126-1469499957-71901971"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19475848610328279781433190509-879166523-901380768-162116742-970340237-1118430980"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-750387747753606778-11612392471266989268-888472558-10915747771614436234-1299806188"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18478298018796734791868223150-1426415321155433769-4510266951239257237-123854089"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11903759623235419015239694021348727081-5799097891055833114-2033049452-1838726399"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "321285313-886168205-1534445676-13054122491620168760-2041973237895932669-1254030166"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1895686691-3634943201165707444114876778023611287-1241096130-20169880111812625588"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1933189969-1836263352-1733902591-8051547021398764307801790792064355333-1744441934"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "75520489385084759138784270977948998-153628174018287285021105877531-522486779"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1410329542-446732082-171861101065507079-903687278-1375919683-1763183726-194003697"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1665267575-1195449411555467523-1823340885-768532411115055551122720352937900352"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1555997937-1186897853525323780-164019268914748214201229220210470732325412560066"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1148621403-1033988753-7834486081679977314-4362697801191622502-1171205265560556884"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "644292152-781364419157863440-966342829-455724496-316023952-11148326111774843595"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

Network

N/A

Files

memory/2404-2-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/2404-10-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/2404-17-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/2244-16-0x0000000001EE0000-0x0000000001EF6000-memory.dmp

memory/2404-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2404-12-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/2404-7-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/2404-4-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/2404-1-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

\Windows\SysWOW64\symlsrc.exe

MD5 1347a5850958dce87216411605fc6943
SHA1 4ffea76d2e204520411667bd6ef0f62b0ba4c807
SHA256 c107d769c98d35f4066a02fb7bd36fb7397f85f6f09f76add54a97dfa883f11c
SHA512 632b863daa9d3e2bc874a59d54310f51d8f592c5862dbf6297cd208f416bd89403f582ede680678eb18d1711f107b475efcdc7cd76884f1123577dc53063458c

memory/2808-42-0x0000000001EE0000-0x0000000001EF6000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 a7301e28065d05b884ca76c1bb28f716
SHA1 d95ffd2c1a3d01d016c6c344e025e206a254af23
SHA256 b61f5f810df3304ce4c0c9cd73f5a55e5815f94cd968a398542cd5de0b626e55
SHA512 db570978b7264e12648c39c853f6e3697692a7175edcb27f5b268492fb0c0d31b04f4dfa40bc4373e9cddb4d7e771d15512c13f7bf17c91843562c0de71d2d07

memory/1732-66-0x0000000001EE0000-0x0000000001EF6000-memory.dmp

memory/1584-87-0x0000000001EE0000-0x0000000001EF6000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 20:09

Reported

2024-06-26 20:12

Platform

win10v2004-20240508-en

Max time kernel

62s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\SysWOW64\symlsrc.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\symlsrc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\symlsrc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A
N/A N/A C:\Windows\SysWOW64\symlsrc.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" C:\Windows\SysWOW64\symlsrc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File created C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A
File opened for modification C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 760 set thread context of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 3332 set thread context of 4740 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4884 set thread context of 3888 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2644 set thread context of 528 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 1952 set thread context of 3764 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2800 set thread context of 1184 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 5020 set thread context of 3976 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 1416 set thread context of 500 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 1976 set thread context of 4748 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3820 set thread context of 3132 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3296 set thread context of 5192 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 5404 set thread context of 5564 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 5736 set thread context of 5928 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6088 set thread context of 5332 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 5792 set thread context of 5932 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4188 set thread context of 6192 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6412 set thread context of 6536 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6784 set thread context of 6984 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 7124 set thread context of 6308 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6648 set thread context of 6352 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 6648 set thread context of 7312 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 7480 set thread context of 7668 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 7804 set thread context of 7964 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 8120 set thread context of 7524 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 7704 set thread context of 6416 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 7696 set thread context of 8376 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 8500 set thread context of 8660 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 8824 set thread context of 8996 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 9152 set thread context of 8216 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 8688 set thread context of 9120 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 8872 set thread context of 7316 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 9352 set thread context of 9536 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 9676 set thread context of 9864 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 10004 set thread context of 10188 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 9284 set thread context of 9896 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 10016 set thread context of 9444 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 10360 set thread context of 10512 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 10684 set thread context of 10868 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 11008 set thread context of 11112 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 10292 set thread context of 10892 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 11132 set thread context of 11184 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 11340 set thread context of 11524 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 11668 set thread context of 11796 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 11992 set thread context of 12168 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 10960 set thread context of 11672 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 10360 set thread context of 11344 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 12408 set thread context of 12520 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 12736 set thread context of 12904 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 13060 set thread context of 13188 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 12308 set thread context of 12752 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 11344 set thread context of 13448 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 13592 set thread context of 13776 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 13900 set thread context of 13980 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 14092 set thread context of 14176 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\symlsrc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\symlsrc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 760 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 760 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 760 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 760 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 760 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 760 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 760 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 760 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
PID 2304 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2304 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2304 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\symlsrc.exe
PID 2304 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2304 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2304 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2304 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2304 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2304 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2304 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2304 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2304 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2304 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2304 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2304 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\CMD.exe
PID 2304 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 4740 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3332 wrote to memory of 4740 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3332 wrote to memory of 4740 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3332 wrote to memory of 4740 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3332 wrote to memory of 4740 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3332 wrote to memory of 4740 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3332 wrote to memory of 4740 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3332 wrote to memory of 4740 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3332 wrote to memory of 4740 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4740 wrote to memory of 4884 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4740 wrote to memory of 4884 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4740 wrote to memory of 4884 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4740 wrote to memory of 532 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 4740 wrote to memory of 532 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 4740 wrote to memory of 532 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 4740 wrote to memory of 576 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 4740 wrote to memory of 576 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 4740 wrote to memory of 576 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 4740 wrote to memory of 1080 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 4740 wrote to memory of 1080 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 4740 wrote to memory of 1080 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 4740 wrote to memory of 3256 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 4740 wrote to memory of 3256 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 4740 wrote to memory of 3256 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\CMD.exe
PID 4740 wrote to memory of 1760 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 1760 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 1760 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\cmd.exe
PID 4884 wrote to memory of 3888 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4884 wrote to memory of 3888 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4884 wrote to memory of 3888 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4884 wrote to memory of 3888 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4884 wrote to memory of 3888 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4884 wrote to memory of 3888 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4884 wrote to memory of 3888 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4884 wrote to memory of 3888 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 4884 wrote to memory of 3888 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe
PID 3888 wrote to memory of 2644 N/A C:\Windows\SysWOW64\symlsrc.exe C:\Windows\SysWOW64\symlsrc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1347A5~1.EXE > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\system32\symlsrc.exe"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.zip

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q *.com

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"

C:\Windows\SysWOW64\CMD.exe

CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"

C:\Windows\SysWOW64\symlsrc.exe

"C:\Windows\SysWOW64\symlsrc.exe"

Network

Files

memory/2304-0-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/2304-5-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/760-6-0x0000000001EE0000-0x0000000001EF6000-memory.dmp

memory/2304-3-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/2304-2-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/2304-1-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

C:\Windows\SysWOW64\symlsrc.exe

MD5 1347a5850958dce87216411605fc6943
SHA1 4ffea76d2e204520411667bd6ef0f62b0ba4c807
SHA256 c107d769c98d35f4066a02fb7bd36fb7397f85f6f09f76add54a97dfa883f11c
SHA512 632b863daa9d3e2bc874a59d54310f51d8f592c5862dbf6297cd208f416bd89403f582ede680678eb18d1711f107b475efcdc7cd76884f1123577dc53063458c

memory/3332-76-0x0000000001EE0000-0x0000000001EF6000-memory.dmp

memory/4740-77-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 a7301e28065d05b884ca76c1bb28f716
SHA1 d95ffd2c1a3d01d016c6c344e025e206a254af23
SHA256 b61f5f810df3304ce4c0c9cd73f5a55e5815f94cd968a398542cd5de0b626e55
SHA512 db570978b7264e12648c39c853f6e3697692a7175edcb27f5b268492fb0c0d31b04f4dfa40bc4373e9cddb4d7e771d15512c13f7bf17c91843562c0de71d2d07

memory/3888-89-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/4884-90-0x0000000001EE0000-0x0000000001EF6000-memory.dmp

memory/528-102-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/2644-103-0x0000000001EE0000-0x0000000001EF6000-memory.dmp

memory/3764-115-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/1952-116-0x0000000001EE0000-0x0000000001EF6000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1184-129-0x0000000001EE0000-0x0000000001EF7000-memory.dmp

memory/2800-130-0x0000000001EE0000-0x0000000001EF6000-memory.dmp

memory/5020-143-0x0000000001EE0000-0x0000000001EF6000-memory.dmp