Analysis Overview
SHA256
c107d769c98d35f4066a02fb7bd36fb7397f85f6f09f76add54a97dfa883f11c
Threat Level: Likely malicious
The file 1347a5850958dce87216411605fc6943_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Disables use of System Restore points
Drops file in Drivers directory
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 20:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 20:09
Reported
2024-06-26 20:12
Platform
win7-20240611-en
Max time kernel
21s
Max time network
122s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
Disables Task Manager via registry modification
Disables use of System Restore points
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1347A5~1.EXE > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1150393511-554412064-1754477870-1669606289-1711450790-1218387618359227741-980324286"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "748726632-449113513-814932547315680756-16549810541147527141349420149944424121"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "145391227-73071757519730414901689823249-1863331589-109193335316003972742072699553"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13418543061277710559-187357370520007044861186518348-1112871455-11293975481419757757"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-56536970-292172635116117433919840006551961525236-622944347-1038351177-1718918506"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1989392490-748236503-1591877268-19989106671128731473-1679867071-484310298-1909524131"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "776648800-716194468-3284938786767235421969989341273316111392183691929489184"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2081177438-2088975049-168630120019165785031965629638218900077-1350207022-80201675"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1847641513470533118682759011-649377651213246722-536043985-893320066-2032431844"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "96721988488598294516485507-3004818171021166049637433126-1469499957-71901971"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19475848610328279781433190509-879166523-901380768-162116742-970340237-1118430980"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-750387747753606778-11612392471266989268-888472558-10915747771614436234-1299806188"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18478298018796734791868223150-1426415321155433769-4510266951239257237-123854089"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11903759623235419015239694021348727081-5799097891055833114-2033049452-1838726399"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "321285313-886168205-1534445676-13054122491620168760-2041973237895932669-1254030166"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1895686691-3634943201165707444114876778023611287-1241096130-20169880111812625588"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1933189969-1836263352-1733902591-8051547021398764307801790792064355333-1744441934"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "75520489385084759138784270977948998-153628174018287285021105877531-522486779"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1410329542-446732082-171861101065507079-903687278-1375919683-1763183726-194003697"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1665267575-1195449411555467523-1823340885-768532411115055551122720352937900352"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1555997937-1186897853525323780-164019268914748214201229220210470732325412560066"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1148621403-1033988753-7834486081679977314-4362697801191622502-1171205265560556884"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "644292152-781364419157863440-966342829-455724496-316023952-11148326111774843595"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
Network
Files
memory/2404-2-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/2404-10-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/2404-17-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/2244-16-0x0000000001EE0000-0x0000000001EF6000-memory.dmp
memory/2404-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2404-12-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/2404-7-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/2404-4-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/2404-1-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
\Windows\SysWOW64\symlsrc.exe
| MD5 | 1347a5850958dce87216411605fc6943 |
| SHA1 | 4ffea76d2e204520411667bd6ef0f62b0ba4c807 |
| SHA256 | c107d769c98d35f4066a02fb7bd36fb7397f85f6f09f76add54a97dfa883f11c |
| SHA512 | 632b863daa9d3e2bc874a59d54310f51d8f592c5862dbf6297cd208f416bd89403f582ede680678eb18d1711f107b475efcdc7cd76884f1123577dc53063458c |
memory/2808-42-0x0000000001EE0000-0x0000000001EF6000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | a7301e28065d05b884ca76c1bb28f716 |
| SHA1 | d95ffd2c1a3d01d016c6c344e025e206a254af23 |
| SHA256 | b61f5f810df3304ce4c0c9cd73f5a55e5815f94cd968a398542cd5de0b626e55 |
| SHA512 | db570978b7264e12648c39c853f6e3697692a7175edcb27f5b268492fb0c0d31b04f4dfa40bc4373e9cddb4d7e771d15512c13f7bf17c91843562c0de71d2d07 |
memory/1732-66-0x0000000001EE0000-0x0000000001EF6000-memory.dmp
memory/1584-87-0x0000000001EE0000-0x0000000001EF6000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 20:09
Reported
2024-06-26 20:12
Platform
win10v2004-20240508-en
Max time kernel
62s
Max time network
63s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
Disables Task Manager via registry modification
Disables use of System Restore points
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\symlsrc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\symlsrc.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Licensing Source = "symlsrc.exe" | C:\Windows\SysWOW64\symlsrc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File created | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symlsrc.exe | C:\Windows\SysWOW64\symlsrc.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\symlsrc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\symlsrc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1347a5850958dce87216411605fc6943_JaffaCakes118.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1347A5~1.EXE > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrc.exe > nul
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\system32\symlsrc.exe"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.zip
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q *.com
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
C:\Windows\SysWOW64\CMD.exe
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
C:\Windows\SysWOW64\symlsrc.exe
"C:\Windows\SysWOW64\symlsrc.exe"
Network
Files
memory/2304-0-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/2304-5-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/760-6-0x0000000001EE0000-0x0000000001EF6000-memory.dmp
memory/2304-3-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/2304-2-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/2304-1-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
C:\Windows\SysWOW64\symlsrc.exe
| MD5 | 1347a5850958dce87216411605fc6943 |
| SHA1 | 4ffea76d2e204520411667bd6ef0f62b0ba4c807 |
| SHA256 | c107d769c98d35f4066a02fb7bd36fb7397f85f6f09f76add54a97dfa883f11c |
| SHA512 | 632b863daa9d3e2bc874a59d54310f51d8f592c5862dbf6297cd208f416bd89403f582ede680678eb18d1711f107b475efcdc7cd76884f1123577dc53063458c |
memory/3332-76-0x0000000001EE0000-0x0000000001EF6000-memory.dmp
memory/4740-77-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | a7301e28065d05b884ca76c1bb28f716 |
| SHA1 | d95ffd2c1a3d01d016c6c344e025e206a254af23 |
| SHA256 | b61f5f810df3304ce4c0c9cd73f5a55e5815f94cd968a398542cd5de0b626e55 |
| SHA512 | db570978b7264e12648c39c853f6e3697692a7175edcb27f5b268492fb0c0d31b04f4dfa40bc4373e9cddb4d7e771d15512c13f7bf17c91843562c0de71d2d07 |
memory/3888-89-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/4884-90-0x0000000001EE0000-0x0000000001EF6000-memory.dmp
memory/528-102-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/2644-103-0x0000000001EE0000-0x0000000001EF6000-memory.dmp
memory/3764-115-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/1952-116-0x0000000001EE0000-0x0000000001EF6000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1184-129-0x0000000001EE0000-0x0000000001EF7000-memory.dmp
memory/2800-130-0x0000000001EE0000-0x0000000001EF6000-memory.dmp
memory/5020-143-0x0000000001EE0000-0x0000000001EF6000-memory.dmp