7451988910c8306e03cf10cebb4099cb360cf45685a175d67022cedb90be36a3

Analysis

max time kernel
45s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Size

72KB
MD5

5df7b6914058320be1ecac739d32a4a7
SHA1

e4e867c32f36bba89fee537bde7d4c4934a3fe0d
SHA256

7451988910c8306e03cf10cebb4099cb360cf45685a175d67022cedb90be36a3
SHA512

3bfa6518383aa4a60caf27d363481b95e73f1aa7c40b615b025304d337711b82b7d78e1dd3c8e669bbaf25ebaeb0955e6f9aeda47a0eef93b81a1483d3fabf4b
SSDEEP

1536:+EXzfXeRZhjgu5VQrBanw5nTN8a9B1IuAbWhVtVmAKTwL:BPyhjguLQrTTN8a93I7b2DV7K8L

Score

8^/10

defense_evasion evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2164	symlsrvn.exe
2728	symlsrvn.exe
1884	symlsrvn.exe
1776	symlsrvn.exe
2204	symlsrvn.exe
340	symlsrvn.exe
952	symlsrvn.exe
656	symlsrvn.exe
2536	symlsrvn.exe
1576	symlsrvn.exe
2076	symlsrvn.exe
2840	symlsrvn.exe
2860	symlsrvn.exe
2900	symlsrvn.exe
2596	symlsrvn.exe
2052	symlsrvn.exe
1064	symlsrvn.exe
1672	symlsrvn.exe
1616	symlsrvn.exe
1932	symlsrvn.exe
2412	symlsrvn.exe
2776	symlsrvn.exe
3004	symlsrvn.exe
2860	symlsrvn.exe
2660	symlsrvn.exe
2920	symlsrvn.exe
1912	symlsrvn.exe
2420	symlsrvn.exe
1736	symlsrvn.exe
2572	symlsrvn.exe
1412	symlsrvn.exe
2536	symlsrvn.exe
2748	symlsrvn.exe
768	symlsrvn.exe
2876	symlsrvn.exe
2860	symlsrvn.exe
2184	symlsrvn.exe
2136	symlsrvn.exe
388	symlsrvn.exe
688	symlsrvn.exe
1492	symlsrvn.exe
1892	symlsrvn.exe
1852	symlsrvn.exe
2180	symlsrvn.exe
2852	symlsrvn.exe
2832	symlsrvn.exe
2772	symlsrvn.exe
1380	symlsrvn.exe
2056	symlsrvn.exe
1980	symlsrvn.exe
2240	symlsrvn.exe
2212	symlsrvn.exe
936	symlsrvn.exe
2756	symlsrvn.exe
2784	symlsrvn.exe
2568	symlsrvn.exe
1196	symlsrvn.exe
2344	symlsrvn.exe
2896	symlsrvn.exe
2296	symlsrvn.exe
1472	symlsrvn.exe
2156	symlsrvn.exe
1476	symlsrvn.exe
1792	symlsrvn.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe

Loads dropped DLL 64 IoCs

pid	Process
3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
2164	symlsrvn.exe
2728	symlsrvn.exe
2728	symlsrvn.exe
1776	symlsrvn.exe
1776	symlsrvn.exe
340	symlsrvn.exe
340	symlsrvn.exe
656	symlsrvn.exe
656	symlsrvn.exe
1576	symlsrvn.exe
1576	symlsrvn.exe
2840	symlsrvn.exe
2840	symlsrvn.exe
2900	symlsrvn.exe
2900	symlsrvn.exe
2052	symlsrvn.exe
2052	symlsrvn.exe
1672	symlsrvn.exe
1672	symlsrvn.exe
1932	symlsrvn.exe
1932	symlsrvn.exe
2776	symlsrvn.exe
2776	symlsrvn.exe
2860	symlsrvn.exe
2860	symlsrvn.exe
2920	symlsrvn.exe
2920	symlsrvn.exe
2420	symlsrvn.exe
2420	symlsrvn.exe
2572	symlsrvn.exe
2572	symlsrvn.exe
2536	symlsrvn.exe
2536	symlsrvn.exe
768	symlsrvn.exe
768	symlsrvn.exe
2860	symlsrvn.exe
2860	symlsrvn.exe
2136	symlsrvn.exe
2136	symlsrvn.exe
688	symlsrvn.exe
688	symlsrvn.exe
1892	symlsrvn.exe
1892	symlsrvn.exe
2180	symlsrvn.exe
2180	symlsrvn.exe
2832	symlsrvn.exe
2832	symlsrvn.exe
1380	symlsrvn.exe
1380	symlsrvn.exe
1980	symlsrvn.exe
1980	symlsrvn.exe
2212	symlsrvn.exe
2212	symlsrvn.exe
2756	symlsrvn.exe
2756	symlsrvn.exe
2568	symlsrvn.exe
2568	symlsrvn.exe
2344	symlsrvn.exe
2344	symlsrvn.exe
2296	symlsrvn.exe
2296	symlsrvn.exe
2156	symlsrvn.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 3056	1640	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	30
PID 2164 set thread context of 2728	2164	symlsrvn.exe	39
PID 1884 set thread context of 1776	1884	symlsrvn.exe	54
PID 2204 set thread context of 340	2204	symlsrvn.exe	66
PID 952 set thread context of 656	952	symlsrvn.exe	78
PID 2536 set thread context of 1576	2536	symlsrvn.exe	90
PID 2076 set thread context of 2840	2076	symlsrvn.exe	102
PID 2860 set thread context of 2900	2860	symlsrvn.exe	114
PID 2596 set thread context of 2052	2596	symlsrvn.exe	126
PID 1064 set thread context of 1672	1064	symlsrvn.exe	138
PID 1616 set thread context of 1932	1616	symlsrvn.exe	150
PID 2412 set thread context of 2776	2412	symlsrvn.exe	162
PID 3004 set thread context of 2860	3004	symlsrvn.exe	652
PID 2660 set thread context of 2920	2660	symlsrvn.exe	515
PID 1912 set thread context of 2420	1912	symlsrvn.exe	198
PID 1736 set thread context of 2572	1736	symlsrvn.exe	210
PID 1412 set thread context of 2536	1412	symlsrvn.exe	760
PID 2748 set thread context of 768	2748	symlsrvn.exe	234
PID 2876 set thread context of 2860	2876	symlsrvn.exe	780
PID 2184 set thread context of 2136	2184	symlsrvn.exe	259
PID 388 set thread context of 688	388	symlsrvn.exe	603
PID 1492 set thread context of 1892	1492	symlsrvn.exe	283
PID 1852 set thread context of 2180	1852	symlsrvn.exe	294
PID 2852 set thread context of 2832	2852	symlsrvn.exe	307
PID 2772 set thread context of 1380	2772	symlsrvn.exe	319
PID 2056 set thread context of 1980	2056	symlsrvn.exe	1040
PID 2240 set thread context of 2212	2240	symlsrvn.exe	932
PID 936 set thread context of 2756	936	symlsrvn.exe	948
PID 2784 set thread context of 2568	2784	symlsrvn.exe	1063
PID 1196 set thread context of 2344	1196	symlsrvn.exe	823
PID 2896 set thread context of 2296	2896	symlsrvn.exe	391
PID 1472 set thread context of 2156	1472	symlsrvn.exe	535
PID 1476 set thread context of 1792	1476	symlsrvn.exe	873
PID 2352 set thread context of 1536	2352	symlsrvn.exe	883
PID 2704 set thread context of 2912	2704	symlsrvn.exe	703
PID 3016 set thread context of 2772	3016	symlsrvn.exe	1384
PID 1440 set thread context of 2936	1440	symlsrvn.exe	463
PID 2944 set thread context of 1104	2944	symlsrvn.exe	1345
PID 1696 set thread context of 900	1696	symlsrvn.exe	1267
PID 968 set thread context of 2112	968	symlsrvn.exe	499
PID 944 set thread context of 2856	944	symlsrvn.exe	511
PID 620 set thread context of 2372	620	symlsrvn.exe	523
PID 2012 set thread context of 2156	2012	symlsrvn.exe	535
PID 892 set thread context of 2708	892	symlsrvn.exe	1415
PID 2436 set thread context of 2352	2436	symlsrvn.exe	1636
PID 2516 set thread context of 2912	2516	symlsrvn.exe	703
PID 1556 set thread context of 1008	1556	symlsrvn.exe	583
PID 620 set thread context of 1020	620	symlsrvn.exe	1802
PID 1484 set thread context of 2540	1484	symlsrvn.exe	607
PID 2480 set thread context of 884	2480	symlsrvn.exe	1311
PID 1016 set thread context of 2604	1016	symlsrvn.exe	1131
PID 2632 set thread context of 2576	2632	symlsrvn.exe	1730
PID 1976 set thread context of 2172	1976	symlsrvn.exe	1219
PID 1636 set thread context of 2312	1636	symlsrvn.exe	1531
PID 2100 set thread context of 1412	2100	symlsrvn.exe	1831
PID 2720 set thread context of 2168	2720	symlsrvn.exe	1999
PID 3004 set thread context of 2912	3004	symlsrvn.exe	703
PID 2768 set thread context of 3064	2768	symlsrvn.exe	1937
PID 684 set thread context of 2056	684	symlsrvn.exe	727
PID 2012 set thread context of 2944	2012	symlsrvn.exe	2142
PID 2108 set thread context of 2720	2108	symlsrvn.exe	2139
PID 2352 set thread context of 2260	2352	symlsrvn.exe	2028
PID 2644 set thread context of 3016	2644	symlsrvn.exe	2296
PID 2148 set thread context of 2160	2148	symlsrvn.exe	2511

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2728	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1776	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	340	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	656	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1576	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2840	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2900	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2052	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1672	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1932	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2776	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2860	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2920	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2420	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2572	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2536	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	768	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2860	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2136	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	688	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1892	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2180	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2832	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1380	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1980	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2212	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2756	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2568	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2344	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2296	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2156	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1792	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1536	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2912	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2772	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2936	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1104	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	900	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2112	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2856	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2372	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2156	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2708	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2352	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2912	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1008	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1020	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2540	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	884	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2604	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2576	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2172	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2312	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1412	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2168	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2912	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	3064	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2056	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2944	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2720	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2260	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	3016	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2160	symlsrvn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3056	1640	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	30
PID 1640 wrote to memory of 3056	1640	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	30
PID 1640 wrote to memory of 3056	1640	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	30
PID 1640 wrote to memory of 3056	1640	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	30
PID 1640 wrote to memory of 3056	1640	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	30
PID 1640 wrote to memory of 3056	1640	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	30
PID 1640 wrote to memory of 3056	1640	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	30
PID 1640 wrote to memory of 3056	1640	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	30
PID 1640 wrote to memory of 3056	1640	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2164	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	31
PID 3056 wrote to memory of 2164	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	31
PID 3056 wrote to memory of 2164	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	31
PID 3056 wrote to memory of 2164	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	31
PID 3056 wrote to memory of 2832	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	32
PID 3056 wrote to memory of 2832	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	32
PID 3056 wrote to memory of 2832	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	32
PID 3056 wrote to memory of 2832	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	32
PID 3056 wrote to memory of 2860	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	33
PID 3056 wrote to memory of 2860	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	33
PID 3056 wrote to memory of 2860	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	33
PID 3056 wrote to memory of 2860	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	33
PID 3056 wrote to memory of 2768	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	35
PID 3056 wrote to memory of 2768	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	35
PID 3056 wrote to memory of 2768	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	35
PID 3056 wrote to memory of 2768	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	35
PID 3056 wrote to memory of 2880	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	37
PID 3056 wrote to memory of 2880	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	37
PID 3056 wrote to memory of 2880	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	37
PID 3056 wrote to memory of 2880	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	37
PID 3056 wrote to memory of 2896	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	38
PID 3056 wrote to memory of 2896	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	38
PID 3056 wrote to memory of 2896	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	38
PID 3056 wrote to memory of 2896	3056	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	38
PID 2164 wrote to memory of 2728	2164	symlsrvn.exe	39
PID 2164 wrote to memory of 2728	2164	symlsrvn.exe	39
PID 2164 wrote to memory of 2728	2164	symlsrvn.exe	39
PID 2164 wrote to memory of 2728	2164	symlsrvn.exe	39
PID 2164 wrote to memory of 2728	2164	symlsrvn.exe	39
PID 2164 wrote to memory of 2728	2164	symlsrvn.exe	39
PID 2164 wrote to memory of 2728	2164	symlsrvn.exe	39
PID 2164 wrote to memory of 2728	2164	symlsrvn.exe	39
PID 2164 wrote to memory of 2728	2164	symlsrvn.exe	39
PID 2728 wrote to memory of 1884	2728	symlsrvn.exe	43
PID 2728 wrote to memory of 1884	2728	symlsrvn.exe	43
PID 2728 wrote to memory of 1884	2728	symlsrvn.exe	43
PID 2728 wrote to memory of 1884	2728	symlsrvn.exe	43
PID 2728 wrote to memory of 1192	2728	symlsrvn.exe	44
PID 2728 wrote to memory of 1192	2728	symlsrvn.exe	44
PID 2728 wrote to memory of 1192	2728	symlsrvn.exe	44
PID 2728 wrote to memory of 1192	2728	symlsrvn.exe	44
PID 2728 wrote to memory of 2920	2728	symlsrvn.exe	45
PID 2728 wrote to memory of 2920	2728	symlsrvn.exe	45
PID 2728 wrote to memory of 2920	2728	symlsrvn.exe	45
PID 2728 wrote to memory of 2920	2728	symlsrvn.exe	45
PID 2728 wrote to memory of 620	2728	symlsrvn.exe	47
PID 2728 wrote to memory of 620	2728	symlsrvn.exe	47
PID 2728 wrote to memory of 620	2728	symlsrvn.exe	47
PID 2728 wrote to memory of 620	2728	symlsrvn.exe	47
PID 2728 wrote to memory of 1992	2728	symlsrvn.exe	117
PID 2728 wrote to memory of 1992	2728	symlsrvn.exe	117
PID 2728 wrote to memory of 1992	2728	symlsrvn.exe	117
PID 2728 wrote to memory of 1992	2728	symlsrvn.exe	117
PID 2728 wrote to memory of 2904	2728	symlsrvn.exe	50
PID 2728 wrote to memory of 2904	2728	symlsrvn.exe	50

C:\Users\Admin\AppData\Local\Temp\5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Impair Defenses: Safe Mode Boot
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\symlsrvn.exe
    "C:\Windows\system32\symlsrvn.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\symlsrvn.exe
      "C:\Windows\SysWOW64\symlsrvn.exe"
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1884
      - C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2204
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:952
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        10⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2536
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        12⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2076
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2860
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        16⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2596
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        18⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1064
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        20⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1616
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        22⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2412
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        24⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3004
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2660
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        28⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1912
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        30⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1736
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        32⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1412
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        34⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2748
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        36⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2876
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        38⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2184
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        40⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:388
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        42⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1492
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1852
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        46⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2852
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        48⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2772
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2056
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        52⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2240
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        54⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:936
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        56⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2784
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        58⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1196
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2896
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        62⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1472
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        64⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1476
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        66⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:2352
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        68⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:2704
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        70⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:3016
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        72⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:1440
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        74⤵
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:2944
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        76⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:1696
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        78⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:968
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        80⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:944
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        82⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:620
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        84⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:2012
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        86⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:892
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        88⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:2436
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        90⤵
        Disables RegEdit via registry modification
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2516
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        92⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:1556
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        94⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:620
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        96⤵
        Disables RegEdit via registry modification
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:1484
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        98⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:2480
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        100⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        101⤵
        Suspicious use of SetThreadContext
        
        PID:1016
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        102⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:2632
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        104⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:1976
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        106⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:1636
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        108⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:2100
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        110⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:2720
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        112⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:3004
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        114⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:2768
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        116⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:684
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        118⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:2012
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        120⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:2108
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        122⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:2352
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        124⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        125⤵
        Suspicious use of SetThreadContext
        
        PID:2644
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        126⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:2148
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        128⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        129⤵
        
        PID:752
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        130⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        
        PID:1280
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        131⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        132⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        133⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        134⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        
        PID:2344
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        135⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        136⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2080
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        137⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        138⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        139⤵
        
        PID:600
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        140⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        141⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        142⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        
        PID:2264
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        143⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        144⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        
        PID:1536
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        145⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        146⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        
        PID:2784
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        147⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        148⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        149⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        150⤵
        Adds Run key to start application
        
        PID:1484
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        151⤵
        
        PID:684
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        152⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        153⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        154⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        155⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        156⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        157⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        158⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        159⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        160⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1104
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        161⤵
        
        PID:568
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        162⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        163⤵
        
        PID:544
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        164⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        165⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        166⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        
        PID:2904
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        167⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        168⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        169⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        170⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        
        PID:2216
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        171⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        172⤵
        
        PID:748
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        173⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        174⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        175⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        176⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2680
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        177⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        178⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        
        PID:1588
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        179⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        180⤵
        Adds Run key to start application
        
        PID:1548
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        181⤵
        
        PID:308
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        182⤵
        Drops file in Drivers directory
        
        PID:1628
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        183⤵
        
        PID:684
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        184⤵
        Disables RegEdit via registry modification
        
        PID:968
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        185⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        186⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        187⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        188⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1852
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        189⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        190⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        191⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        192⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        193⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        194⤵
        Adds Run key to start application
        
        PID:2980
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        195⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        196⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        197⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        198⤵
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        199⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        200⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        
        PID:2172
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        201⤵
        
        PID:644
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        202⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:568
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        203⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        204⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:696
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        205⤵
        
        PID:952
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        206⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        207⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        208⤵
        Drops file in Drivers directory
        
        PID:900
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        209⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        210⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        
        PID:2460
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        211⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        212⤵
        Drops file in Drivers directory
        
        PID:828
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        213⤵
        
        PID:600
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        214⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        215⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        216⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2964
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        217⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        218⤵
        Adds Run key to start application
        
        PID:2516
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        219⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        220⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        
        PID:1476
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        221⤵
        
        PID:872
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        222⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1208
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        223⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        224⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        225⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        226⤵
        Drops file in Drivers directory
        
        PID:2836
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        227⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        228⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        229⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        230⤵
        Disables RegEdit via registry modification
        
        PID:2060
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        231⤵
        
        PID:752
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        232⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        233⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        234⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:2816
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        235⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        236⤵
        Disables RegEdit via registry modification
        
        PID:2388
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        237⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        238⤵
        Adds Run key to start application
        
        PID:1956
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        239⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        240⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        241⤵
        
        PID:976
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        242⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        243⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        244⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        245⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        246⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        247⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        248⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        249⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        250⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        251⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        252⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        253⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        254⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        255⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        256⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        257⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        258⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        259⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        260⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        261⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        262⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        263⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        264⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        265⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        266⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        267⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        268⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        269⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        270⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        271⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        271⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        271⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        271⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        269⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        269⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        269⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        269⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        269⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        267⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        267⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        267⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        267⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        267⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        265⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        265⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        265⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        265⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        265⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        263⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        263⤵
        
        PID:892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        263⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        263⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        263⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        261⤵
        
        PID:980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        261⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        261⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        261⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        261⤵
        
        PID:976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        259⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        259⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        259⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        259⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        259⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        257⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        257⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        257⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        257⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        257⤵
        
        PID:628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        255⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        255⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        255⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        255⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        255⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        253⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        253⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        253⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        253⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        253⤵
        
        PID:696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        251⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        251⤵
        
        PID:316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        251⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        251⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        251⤵
        
        PID:644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        249⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        249⤵
        
        PID:920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        249⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        249⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        249⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        247⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        247⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        247⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        247⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        247⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        245⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        245⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        245⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        245⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        245⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        243⤵
        
        PID:544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        243⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        243⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        243⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        243⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        241⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        241⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        241⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        241⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        241⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        239⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        239⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        239⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        239⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        239⤵
        
        PID:620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        237⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        237⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        237⤵
        
        PID:988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        237⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        237⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        235⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        235⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        235⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        235⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        235⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        233⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        233⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        233⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        233⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        233⤵
        
        PID:892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        231⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        231⤵
        
        PID:388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        231⤵
        
        PID:644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        231⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        231⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        229⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        229⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        229⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        229⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        229⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        227⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        227⤵
        
        PID:988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        227⤵
        
        PID:944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        227⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        227⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        225⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        225⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        225⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        225⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        225⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        223⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        223⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        223⤵
        
        PID:544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        223⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        223⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        221⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        221⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        221⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        221⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        221⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        219⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        219⤵
        
        PID:920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        219⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        219⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        219⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        217⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        217⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        217⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        217⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        217⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        215⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        215⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        215⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        215⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        215⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        213⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        213⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        213⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        213⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        213⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        211⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        211⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        211⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        211⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        211⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        209⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        209⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        209⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        209⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        209⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        207⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        207⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        207⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        207⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        207⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        205⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        205⤵
        
        PID:936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        205⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        205⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        205⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        203⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        203⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        203⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        203⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        203⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        201⤵
        
        PID:752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        201⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        201⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        201⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        201⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        199⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        199⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        199⤵
        
        PID:920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        199⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        199⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        197⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        197⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        197⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        197⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        197⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        195⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        195⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        195⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        195⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        195⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        193⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        193⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        193⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        193⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        193⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        191⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        191⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        191⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        191⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        191⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        189⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        189⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        189⤵
        
        PID:668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        189⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        189⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        187⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        187⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        187⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        187⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        187⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        185⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        185⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        185⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        185⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        185⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        183⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        183⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        183⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        183⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        183⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        181⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        181⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        181⤵
        
        PID:712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        181⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        181⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        179⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        179⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        179⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        179⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        179⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        177⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        177⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        177⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        177⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        177⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        175⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        175⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        175⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        175⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        175⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        173⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        173⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        173⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        173⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        173⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        171⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        171⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        171⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        171⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        171⤵
        
        PID:600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        169⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        169⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        169⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        169⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        169⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        167⤵
        
        PID:944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        167⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        167⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        167⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        167⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        165⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        165⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        165⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        165⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        165⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        163⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        163⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        163⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        163⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        163⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        161⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        161⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        161⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        161⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        161⤵
        
        PID:972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        159⤵
        
        PID:388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        159⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        159⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        159⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        159⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        157⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        157⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        157⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        157⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        157⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        155⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        155⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        155⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        155⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        155⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        153⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        153⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        153⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        153⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        153⤵
        
        PID:884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        151⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        151⤵
        
        PID:752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        151⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        151⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        151⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        149⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        149⤵
        
        PID:236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        149⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        149⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        149⤵
        
        PID:644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        147⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        147⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        147⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        147⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        147⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        145⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        145⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        145⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        145⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        145⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        143⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        143⤵
        
        PID:936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        143⤵
        
        PID:696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        143⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        143⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        141⤵
        
        PID:952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        141⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        141⤵
        
        PID:748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        141⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        141⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        139⤵
        
        PID:668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        139⤵
        
        PID:452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        139⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        139⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        139⤵
        
        PID:684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        137⤵
        
        PID:988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        137⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        137⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        137⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        137⤵
        
        PID:236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        135⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        135⤵
        
        PID:900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        135⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        135⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        135⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        133⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        133⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        133⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        133⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        133⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        131⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        131⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        131⤵
        
        PID:316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        131⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        131⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        129⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        129⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        129⤵
        
        PID:620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        129⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        129⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        127⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        127⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        127⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        127⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        127⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        125⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        125⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        125⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        125⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        125⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        123⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        123⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        123⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        123⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        123⤵
        
        PID:900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        121⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        121⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        121⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        121⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        121⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        119⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        119⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        119⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        119⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        119⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        117⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        117⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        117⤵
        
        PID:600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        117⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        117⤵
        
        PID:644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        115⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        115⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        115⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        115⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        115⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        113⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        113⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        113⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        113⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        113⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        111⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        111⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        111⤵
        
        PID:936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        111⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        111⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        109⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        109⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        109⤵
        
        PID:544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        109⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        109⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        107⤵
        
        PID:972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        107⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        107⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        107⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        107⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        105⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        105⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        105⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        105⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        105⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        103⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        103⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        103⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        103⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        103⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        101⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        101⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        101⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        101⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        101⤵
        
        PID:900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        99⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        99⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        99⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        99⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        99⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        97⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        97⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        97⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        97⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        97⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        95⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        95⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        95⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        95⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        95⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        93⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        93⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        93⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        93⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        93⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        91⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        91⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        91⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        91⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        91⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        89⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        89⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        89⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        89⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        89⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        87⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        87⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        87⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        87⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        87⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        85⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        85⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        85⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        85⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        85⤵
        
        PID:748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        83⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        83⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        83⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        83⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        83⤵
        
        PID:920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        81⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        81⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        81⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        81⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        81⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        79⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        79⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        79⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        79⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        79⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        77⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        77⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        77⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        77⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        77⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        75⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        75⤵
        
        PID:952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        75⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        75⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        75⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        73⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        73⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        73⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        73⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        73⤵
        
        PID:988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        71⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        71⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        71⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        71⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        71⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        69⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        69⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        69⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        69⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        69⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        67⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        67⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        67⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        65⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        65⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        65⤵
        
        PID:544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        63⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        63⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        63⤵
        
        PID:452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        61⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        61⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        61⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        59⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        59⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        59⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        57⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        57⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        57⤵
        
        PID:944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        55⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        55⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        55⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        
        PID:600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        53⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        53⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        53⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        51⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        51⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        51⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        49⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        49⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        49⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        47⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        47⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        47⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        
        PID:712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        45⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        45⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        45⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        43⤵
        
        PID:872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        43⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        43⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        
        PID:452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        41⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        41⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        41⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        39⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        39⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        39⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        37⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        37⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        37⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        35⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        35⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        35⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        33⤵
        
        PID:712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        33⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        33⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        31⤵
        
        PID:972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        31⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        31⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        29⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        29⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        29⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        27⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        27⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        27⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        25⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        25⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        25⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        23⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        23⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        23⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        21⤵
        
        PID:712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        21⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        21⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        19⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        19⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        19⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        17⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        17⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        17⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        15⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        15⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        15⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        13⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        13⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        13⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        11⤵
        
        PID:696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        11⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        11⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        9⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        9⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        9⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        7⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        7⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        7⤵
        
        PID:2172
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:1192
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        5⤵
        
        PID:620
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        5⤵
        
        PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        5⤵
        
        PID:2904
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5DF7B6~1.EXE > nul
    3⤵
    - Deletes itself
    PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "894993251354577879-182102623-1453230012-15690519501128618798131502941-302031695"
1⤵
PID:2992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16353812779892477-10863698811658586845-1468671330-18235101125958122-1834888154"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-832923603157128819470990666411158930531893696575-1875497545444731361-1110580477"
1⤵
PID:2412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-41331124-16433298551281793091-1035287863151713912-513414798-1961451879-1394910806"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3639376371563281567-809144880-319958071079255892105537711479652402-296974625"
1⤵
PID:2596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-349458795-1977339725560997932325555665-2025653935-805252144-8143781237344809"
1⤵
PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19465445751510351779-119402831-6521855361030863018-1326856036-2430387031294539679"
1⤵
PID:1944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-418755975-742191503-13588835412336002531239045329267817299-1414175269378258045"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1755488241005496705-662926687-1364185728-1016797191-20481522903603483391303351168"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1385055054-1389930110161907346-108437025218563332131434081259-306662288199770429"
1⤵
PID:2148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "867510129-5631640755149108361879097472283467828-10048952521750890237-1747510051"
1⤵
PID:712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "399228167-385814055-129284515219944169961531695904-10003259411652921725905229966"
1⤵
PID:2076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12421431382059764456-15518252317009572259547764691159888596-1856230184411320093"
1⤵
PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-151241707512114161432126653535-483416398116446443-12265663031091506991-1324156560"
1⤵
PID:1088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1503943772-10155796181950036384794001230-817401735-739101764485813675-468227037"
1⤵
PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1845331559513911955-1995950948-503172459992516224-808284217984443764294288892"
1⤵
PID:2184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13513615281419704200-1292778890-975422918166543547644190621820600429732035382971"
1⤵
PID:2772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15271018171568960520-2135364576-14421526241747217804-412915337-7322916261347086286"
1⤵
PID:688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-509500073-13314671531458506118-4718632721386127160-257628839-106749025537999040"
1⤵
PID:2612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-417325088-1503847430-11377812962768435-702426140-176536407321466787471691341917"
1⤵
PID:2688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4885236389627378211456370597-89749674515998971751367885943-1223516379-121355011"
1⤵
PID:2860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "52239763210658035132109472028-1845708690895782505-17285851901118484020-1435253727"
1⤵
PID:1020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1652040222-234930016-1524071022-985411338-908256731950616486-18132509991558035885"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19084724401997594483-406382884-19038185992034690507-1091297702-1737831054-745902396"
1⤵
PID:2452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-998942433-1318674133-549057866-5618904221242646227235566686735817311402048666"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21279572961462950344420621979-4191714171983060423-9575529141992447583-1958424235"
1⤵
PID:316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-615523158812220509523547972-444440193-18873800392099705411-489645652-167671834"
1⤵
PID:1096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1937488766-1376858317-109694007710859619615771280061555501515-1573221381-742969866"
1⤵
PID:1412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1806350356557021711-1860480350-1394167168-528643616196206457-517066917-1204312198"
1⤵
PID:1904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "549784424-1989382883-1671335727-874958269-13930416-1084948360-294089697-663619131"
1⤵
PID:2536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1400411207-137181111281449546-1133839081-735926476-452920540940924619-2092654867"
1⤵
PID:2876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7938294531584065029-1752089162-910899859-1268373201182932682181417528-364288229"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16033069021810156653-92112245418926781-1315969957-639897766-851823595-714070713"
1⤵
PID:872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "188381178119488551911476145280-114140696314230511631997237863-150344552-1439337534"
1⤵
PID:2368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1797106541-17919654861367526792-135820477-1591485730454438641-1249794220680466560"
1⤵
PID:1532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1532084129-1458558385-2020971032-1414530482-722602095-14591853866536559881635401590"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5685418933651114021012066866-665982891-6504552028503474414318368091594374673"
1⤵
PID:1852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1563178305-2091980389-344177036-1613831550-286315437201602238417557940382032386777"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-290453001-16513576471292410591886863444166077510711625307271433039573-445784608"
1⤵
PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "47901700767444695016809162514917114591321140034-1630613612-813757480-632392262"
1⤵
PID:1080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10618097821351848142-4293402501566699316-134216067-1965525705-1714840557-331431040"
1⤵
PID:1344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1700753765-1053466026207362241-1574322114-265291873-1003813904-1039984956-1508758769"
1⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1482703943487941944-1554052891-9065518023175160351093901349-18215064301476278984"
1⤵
PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1335682035189088520-180343163633794950770894222-1422066855612749578325118458"
1⤵
PID:2392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "813772728-2068004151135864739-1544539239-18894155041059208846-7374380571476970714"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "218099172-15665038121275549930-588682408704159054-16999772204426025652010583199"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "776284583196764808719835957831955055737956229952-1610447168-11423180621496672024"
1⤵
PID:1956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "781795769-18448849072113871748-92007050-19575671691395932096126142461798859076"
1⤵
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1588885272-11684568502109315682-191551585121179817881226655911-14880578561101967471"
1⤵
PID:2504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16307812801937056172-1049260769-2119837036-991496133-637830770-117344892-873220561"
1⤵
PID:236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1020721296-12519341091089383467-2081538854155003144912038134311912358678-564775659"
1⤵
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-911995450-1384212585-175276449485651316519707833111284158367-12129854711363455713"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "323803185998687580-8351036353789179881629622738-542227294-1967972488-1381612732"
1⤵
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "376260072-659777421-975552277557667189-1045514021102104303311030079-125332844"
1⤵
PID:2176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-33232848-7225791522102174770-20560011772042985901828550246-570323099-1729033010"
1⤵
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "88473965518474047111551867949-1129577678-2586482381379320701-1612692066-16287708"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1778748278-990387972-909366778136316134-715063314236908306-887732041433885019"
1⤵
PID:1440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "987243054-15097563252046361710548561120-6807026131941623106-263457136444829929"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1731088209721555316-1445600452397784073-377064344-1035998690-1679586815-1668527255"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1796718476-2966202547203897298450978991314357952570493484500595301156253689"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7218925611440532242-58090909718291784911104855998-1595374765-1810200085-1516865094"
1⤵
PID:1392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18247787263580839831255782253-1069653881-19296741202102177526-19503531291910502585"
1⤵
PID:884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17915381271055024356-12769821116184562001875614901-888164736-1594056851-225656272"
1⤵
PID:2704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19546814061894745328-1715943124-1647758681507589705-1720866584-17700482651317090861"
1⤵
PID:3016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "92841378015027856112034083884-237257698-1516547270-1483056739-1798860200-1186302355"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-471610304-1531659120390953202-1224522986-782067502-19880807463828378251972539081"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2091593530-1528825308-567953574-473117951-50256693115281683971671325512-921115716"
1⤵
PID:2876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-676768632-801335926-922166237-1399562044601572212-1490220078-1722049025-985913764"
1⤵
PID:2772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1170187102-212205869-623085582-1132157825174015138321391060201680796262-2112482256"
1⤵
PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1013078751702230335684484231166423092-1685457487117791611838701926-673367679"
1⤵
PID:1268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "446168953497300757-14165154631924411672-288755251-202613873938482208-1103236194"
1⤵
PID:2248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "178731937210387553594472836693997955326103117461310637361-91832380829899802"
1⤵
PID:2596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20703674212120700888-11268269242139061470508843927-987890667401735124-930763617"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1353418888-1943077894172521768-435964304798315738-512826597-911696316992695601"
1⤵
PID:1400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "722020011-881624695-669725985-1415674212-1214359828-20343395092099257331253794771"
1⤵
PID:2808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "304211221-198396720315500215389840008613977885421644246418-7334721211083998174"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1809686398616097197472193997-1113032266-1468385731469087461-197760291-950419952"
1⤵
PID:1440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-375897013-797499893-2011705049-1698763780-17987940471862551631207454307-1672256042"
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1350794961727201651-18786682911844778925-1703963438-3122617541570365440-991548457"
1⤵
PID:2516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1674823802-83370850117093252210832996822003261640611102061-1591403373-635684845"
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\symlsrvn.exe

Filesize
72KB

MD5
5df7b6914058320be1ecac739d32a4a7

SHA1
e4e867c32f36bba89fee537bde7d4c4934a3fe0d

SHA256
7451988910c8306e03cf10cebb4099cb360cf45685a175d67022cedb90be36a3

SHA512
3bfa6518383aa4a60caf27d363481b95e73f1aa7c40b615b025304d337711b82b7d78e1dd3c8e669bbaf25ebaeb0955e6f9aeda47a0eef93b81a1483d3fabf4b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
10KB

MD5
eb3e22f3c34d04f91f4a09f424d5e6e2

SHA1
266d7a91a081e37ffa70db048abd6936efa06f51

SHA256
13d0dda001d183c97c40c0b65b072b7fda09fcc4cc069f20e9a5b88242ed3df1

SHA512
8e6ffba5faafb05fc6690e0a61e14d1984fd7f5b2c2db31dc472c4c248fdd63cdc515cbd5f9794fc6d8e53db323cabd10e4d71350777d5866a1aeb0d7641c6da

Download Submit
memory/1640-14-0x00000000150E0000-0x00000000150F9000-memory.dmp

Filesize
100KB

Download
memory/1884-61-0x00000000150E0000-0x00000000150F9000-memory.dmp

Filesize
100KB

Download
memory/2164-40-0x00000000150E0000-0x00000000150F9000-memory.dmp

Filesize
100KB

Download
memory/2204-79-0x00000000150E0000-0x00000000150F9000-memory.dmp

Filesize
100KB

Download
memory/3056-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3056-15-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/3056-5-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/3056-2-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/3056-10-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/3056-0-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/3056-7-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads