7451988910c8306e03cf10cebb4099cb360cf45685a175d67022cedb90be36a3

Analysis

max time kernel
47s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Size

72KB
MD5

5df7b6914058320be1ecac739d32a4a7
SHA1

e4e867c32f36bba89fee537bde7d4c4934a3fe0d
SHA256

7451988910c8306e03cf10cebb4099cb360cf45685a175d67022cedb90be36a3
SHA512

3bfa6518383aa4a60caf27d363481b95e73f1aa7c40b615b025304d337711b82b7d78e1dd3c8e669bbaf25ebaeb0955e6f9aeda47a0eef93b81a1483d3fabf4b
SSDEEP

1536:+EXzfXeRZhjgu5VQrBanw5nTN8a9B1IuAbWhVtVmAKTwL:BPyhjguLQrTTN8a93I7b2DV7K8L

Score

8^/10

defense_evasion evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symlsrvn.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symlsrvn.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	symlsrvn.exe

Executes dropped EXE 64 IoCs

pid	Process
244	symlsrvn.exe
3236	symlsrvn.exe
700	symlsrvn.exe
2332	symlsrvn.exe
5060	symlsrvn.exe
1684	symlsrvn.exe
2640	symlsrvn.exe
4820	symlsrvn.exe
2984	symlsrvn.exe
384	symlsrvn.exe
2092	symlsrvn.exe
4876	symlsrvn.exe
1576	symlsrvn.exe
3680	symlsrvn.exe
2644	symlsrvn.exe
432	symlsrvn.exe
5116	symlsrvn.exe
864	symlsrvn.exe
4948	symlsrvn.exe
1956	symlsrvn.exe
4380	symlsrvn.exe
4648	symlsrvn.exe
2892	symlsrvn.exe
1500	symlsrvn.exe
640	symlsrvn.exe
4232	symlsrvn.exe
2500	symlsrvn.exe
4552	symlsrvn.exe
4064	symlsrvn.exe
2644	symlsrvn.exe
4332	symlsrvn.exe
4112	symlsrvn.exe
3288	symlsrvn.exe
2648	symlsrvn.exe
5004	symlsrvn.exe
1180	symlsrvn.exe
4896	symlsrvn.exe
5056	symlsrvn.exe
312	symlsrvn.exe
3632	symlsrvn.exe
1796	symlsrvn.exe
2648	symlsrvn.exe
5112	symlsrvn.exe
4284	symlsrvn.exe
4332	symlsrvn.exe
4320	symlsrvn.exe
2232	symlsrvn.exe
2140	symlsrvn.exe
1036	symlsrvn.exe
404	symlsrvn.exe
2652	symlsrvn.exe
3136	symlsrvn.exe
5116	symlsrvn.exe
1916	symlsrvn.exe
4436	symlsrvn.exe
1056	symlsrvn.exe
5072	symlsrvn.exe
2860	symlsrvn.exe
1936	symlsrvn.exe
4740	symlsrvn.exe
4128	symlsrvn.exe
2648	symlsrvn.exe
2276	symlsrvn.exe
1640	symlsrvn.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec N-Protect Server = "symlsrvn.exe"	symlsrvn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File created	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe
File opened for modification	C:\Windows\SysWOW64\symlsrvn.exe	symlsrvn.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2656 set thread context of 2828	2656	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	84
PID 244 set thread context of 3236	244	symlsrvn.exe	88
PID 700 set thread context of 2332	700	symlsrvn.exe	108
PID 5060 set thread context of 1684	5060	symlsrvn.exe	122
PID 2640 set thread context of 4820	2640	symlsrvn.exe	134
PID 2984 set thread context of 384	2984	symlsrvn.exe	146
PID 2092 set thread context of 4876	2092	symlsrvn.exe	160
PID 1576 set thread context of 3680	1576	symlsrvn.exe	172
PID 2644 set thread context of 432	2644	symlsrvn.exe	184
PID 5116 set thread context of 864	5116	symlsrvn.exe	197
PID 4948 set thread context of 1956	4948	symlsrvn.exe	209
PID 4380 set thread context of 4648	4380	symlsrvn.exe	222
PID 2892 set thread context of 1500	2892	symlsrvn.exe	479
PID 640 set thread context of 4232	640	symlsrvn.exe	246
PID 2500 set thread context of 4552	2500	symlsrvn.exe	657
PID 4064 set thread context of 2644	4064	symlsrvn.exe	271
PID 4332 set thread context of 4112	4332	symlsrvn.exe	283
PID 3288 set thread context of 2648	3288	symlsrvn.exe	465
PID 5004 set thread context of 1180	5004	symlsrvn.exe	393
PID 4896 set thread context of 5056	4896	symlsrvn.exe	319
PID 312 set thread context of 3632	312	symlsrvn.exe	331
PID 1796 set thread context of 2648	1796	symlsrvn.exe	465
PID 5112 set thread context of 4284	5112	symlsrvn.exe	527
PID 4332 set thread context of 4320	4332	symlsrvn.exe	368
PID 2232 set thread context of 2140	2232	symlsrvn.exe	851
PID 1036 set thread context of 404	1036	symlsrvn.exe	1166
PID 2652 set thread context of 3136	2652	symlsrvn.exe	1202
PID 5116 set thread context of 1916	5116	symlsrvn.exe	952
PID 4436 set thread context of 1056	4436	symlsrvn.exe	1210
PID 5072 set thread context of 2860	5072	symlsrvn.exe	1359
PID 1936 set thread context of 4740	1936	symlsrvn.exe	453
PID 4128 set thread context of 2648	4128	symlsrvn.exe	465
PID 2276 set thread context of 1640	2276	symlsrvn.exe	1708
PID 1500 set thread context of 2860	1500	symlsrvn.exe	1548
PID 1488 set thread context of 3168	1488	symlsrvn.exe	1281
PID 4588 set thread context of 372	4588	symlsrvn.exe	1381
PID 4036 set thread context of 2892	4036	symlsrvn.exe	525
PID 4284 set thread context of 3136	4284	symlsrvn.exe	1732
PID 3128 set thread context of 5104	3128	symlsrvn.exe	549
PID 1560 set thread context of 2276	1560	symlsrvn.exe	561
PID 456 set thread context of 3016	456	symlsrvn.exe	1189
PID 4760 set thread context of 4504	4760	symlsrvn.exe	585
PID 3624 set thread context of 4484	3624	symlsrvn.exe	2002
PID 2952 set thread context of 3540	2952	symlsrvn.exe	827
PID 4064 set thread context of 4656	4064	symlsrvn.exe	621
PID 3884 set thread context of 1844	3884	symlsrvn.exe	633
PID 3752 set thread context of 2716	3752	symlsrvn.exe	645
PID 2964 set thread context of 4552	2964	symlsrvn.exe	657
PID 776 set thread context of 4792	776	symlsrvn.exe	1985
PID 1856 set thread context of 4440	1856	symlsrvn.exe	681
PID 5016 set thread context of 3428	5016	symlsrvn.exe	2282
PID 1916 set thread context of 4812	1916	symlsrvn.exe	705
PID 1500 set thread context of 2808	1500	symlsrvn.exe	1258
PID 4736 set thread context of 1904	4736	symlsrvn.exe	730
PID 4456 set thread context of 2792	4456	symlsrvn.exe	2233
PID 4052 set thread context of 4684	4052	symlsrvn.exe	754
PID 3248 set thread context of 5016	3248	symlsrvn.exe	766
PID 2404 set thread context of 3492	2404	symlsrvn.exe	778
PID 1052 set thread context of 1936	1052	symlsrvn.exe	2257
PID 1072 set thread context of 1488	1072	symlsrvn.exe	802
PID 2488 set thread context of 1084	2488	symlsrvn.exe	2541
PID 4668 set thread context of 3900	4668	symlsrvn.exe	2585
PID 396 set thread context of 392	396	symlsrvn.exe	1153
PID 5052 set thread context of 2140	5052	symlsrvn.exe	1940

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symlsrvn.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3236	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2332	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1684	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4820	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	384	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4876	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	3680	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	432	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	864	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1956	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4648	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1500	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4232	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4552	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2644	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4112	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2648	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1180	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	5056	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	3632	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2648	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4284	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4320	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2140	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	404	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	3136	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1916	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1056	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2860	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4740	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2648	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1640	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2860	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	3168	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	372	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2892	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	3136	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	5104	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2276	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	3016	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4504	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4484	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	3540	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4656	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1844	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2716	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4552	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4792	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4440	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	3428	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4812	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2808	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1904	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2792	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	4684	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	5016	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	3492	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1936	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1488	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	1084	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	3900	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	392	symlsrvn.exe
Token: SeIncBasePriorityPrivilege	2140	symlsrvn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2828	2656	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	84
PID 2656 wrote to memory of 2828	2656	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	84
PID 2656 wrote to memory of 2828	2656	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	84
PID 2656 wrote to memory of 2828	2656	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	84
PID 2656 wrote to memory of 2828	2656	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	84
PID 2656 wrote to memory of 2828	2656	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	84
PID 2656 wrote to memory of 2828	2656	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	84
PID 2656 wrote to memory of 2828	2656	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	84
PID 2828 wrote to memory of 244	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	87
PID 2828 wrote to memory of 244	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	87
PID 2828 wrote to memory of 244	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	87
PID 244 wrote to memory of 3236	244	symlsrvn.exe	88
PID 244 wrote to memory of 3236	244	symlsrvn.exe	88
PID 244 wrote to memory of 3236	244	symlsrvn.exe	88
PID 244 wrote to memory of 3236	244	symlsrvn.exe	88
PID 244 wrote to memory of 3236	244	symlsrvn.exe	88
PID 244 wrote to memory of 3236	244	symlsrvn.exe	88
PID 244 wrote to memory of 3236	244	symlsrvn.exe	88
PID 244 wrote to memory of 3236	244	symlsrvn.exe	88
PID 2828 wrote to memory of 1112	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	89
PID 2828 wrote to memory of 1112	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	89
PID 2828 wrote to memory of 1112	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	89
PID 2828 wrote to memory of 4132	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	90
PID 2828 wrote to memory of 4132	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	90
PID 2828 wrote to memory of 4132	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	90
PID 2828 wrote to memory of 1616	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	92
PID 2828 wrote to memory of 1616	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	92
PID 2828 wrote to memory of 1616	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	92
PID 2828 wrote to memory of 2412	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	93
PID 2828 wrote to memory of 2412	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	93
PID 2828 wrote to memory of 2412	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	93
PID 2828 wrote to memory of 4360	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	95
PID 2828 wrote to memory of 4360	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	95
PID 2828 wrote to memory of 4360	2828	5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe	95
PID 3236 wrote to memory of 700	3236	symlsrvn.exe	98
PID 3236 wrote to memory of 700	3236	symlsrvn.exe	98
PID 3236 wrote to memory of 700	3236	symlsrvn.exe	98
PID 3236 wrote to memory of 2608	3236	symlsrvn.exe	99
PID 3236 wrote to memory of 2608	3236	symlsrvn.exe	99
PID 3236 wrote to memory of 2608	3236	symlsrvn.exe	99
PID 3236 wrote to memory of 920	3236	symlsrvn.exe	100
PID 3236 wrote to memory of 920	3236	symlsrvn.exe	100
PID 3236 wrote to memory of 920	3236	symlsrvn.exe	100
PID 3236 wrote to memory of 3576	3236	symlsrvn.exe	165
PID 3236 wrote to memory of 3576	3236	symlsrvn.exe	165
PID 3236 wrote to memory of 3576	3236	symlsrvn.exe	165
PID 3236 wrote to memory of 3492	3236	symlsrvn.exe	169
PID 3236 wrote to memory of 3492	3236	symlsrvn.exe	169
PID 3236 wrote to memory of 3492	3236	symlsrvn.exe	169
PID 3236 wrote to memory of 1472	3236	symlsrvn.exe	103
PID 3236 wrote to memory of 1472	3236	symlsrvn.exe	103
PID 3236 wrote to memory of 1472	3236	symlsrvn.exe	103
PID 700 wrote to memory of 2332	700	symlsrvn.exe	108
PID 700 wrote to memory of 2332	700	symlsrvn.exe	108
PID 700 wrote to memory of 2332	700	symlsrvn.exe	108
PID 700 wrote to memory of 2332	700	symlsrvn.exe	108
PID 700 wrote to memory of 2332	700	symlsrvn.exe	108
PID 700 wrote to memory of 2332	700	symlsrvn.exe	108
PID 700 wrote to memory of 2332	700	symlsrvn.exe	108
PID 700 wrote to memory of 2332	700	symlsrvn.exe	108
PID 2332 wrote to memory of 5060	2332	symlsrvn.exe	112
PID 2332 wrote to memory of 5060	2332	symlsrvn.exe	112
PID 2332 wrote to memory of 5060	2332	symlsrvn.exe	112
PID 2332 wrote to memory of 4724	2332	symlsrvn.exe	231

C:\Users\Admin\AppData\Local\Temp\5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5df7b6914058320be1ecac739d32a4a7_JaffaCakes118.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\symlsrvn.exe
    "C:\Windows\system32\symlsrvn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:244
  - - C:\Windows\SysWOW64\symlsrvn.exe
      "C:\Windows\SysWOW64\symlsrvn.exe"
      4⤵
      Disables RegEdit via registry modification
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:700
      - C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        6⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5060
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        8⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2640
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        10⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2984
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        12⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2092
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        14⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1576
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        16⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2644
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        18⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5116
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        20⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4948
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        22⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4380
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        24⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2892
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        26⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:640
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        28⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2500
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        30⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4064
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        32⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4332
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        34⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3288
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        36⤵
        Disables RegEdit via registry modification
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5004
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        38⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4896
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        40⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:312
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        42⤵
        Disables RegEdit via registry modification
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1796
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        44⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5112
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4332
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        48⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2232
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        50⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1036
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        52⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2652
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        54⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5116
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        56⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4436
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        58⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5072
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        60⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1936
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        62⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4128
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        64⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2276
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        66⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:1500
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        68⤵
        Disables RegEdit via registry modification
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:1488
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        70⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:4588
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        72⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:4036
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        74⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:4284
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        76⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:3128
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        78⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:1560
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        80⤵
        Disables RegEdit via registry modification
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:456
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        82⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:4760
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        84⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:3624
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        86⤵
        Disables RegEdit via registry modification
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:2952
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        88⤵
        Disables RegEdit via registry modification
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:4064
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        90⤵
        Disables RegEdit via registry modification
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:3884
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        92⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:3752
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        94⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:2964
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        96⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:776
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        98⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:1856
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        100⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        101⤵
        Suspicious use of SetThreadContext
        
        PID:5016
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        102⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:1916
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        104⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:1500
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        106⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:4736
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        108⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:4456
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        110⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:4052
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        112⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:3248
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        114⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:2404
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        116⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:1052
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        118⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:1072
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        120⤵
        Disables RegEdit via registry modification
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:2488
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        122⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:4668
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        124⤵
        Disables RegEdit via registry modification
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        125⤵
        Suspicious use of SetThreadContext
        
        PID:396
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        126⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:5052
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        128⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        129⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        130⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        131⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        132⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        133⤵
        
        PID:640
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        134⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        135⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        136⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        137⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        138⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        139⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        140⤵
        Drops file in Drivers directory
        
        PID:3984
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        141⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        142⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        143⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        144⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        145⤵
        
        PID:372
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        146⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        147⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        148⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        149⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        150⤵
        Disables RegEdit via registry modification
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        151⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        152⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        153⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        154⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        155⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        156⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        157⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        158⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        159⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        160⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        161⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        162⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        163⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        164⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        165⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        166⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        167⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        168⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        169⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        170⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        171⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        172⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        173⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        174⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        175⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        176⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        177⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        178⤵
        
        PID:392
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        179⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        180⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        181⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        182⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        183⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        184⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        185⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        186⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        187⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        188⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        189⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        190⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        191⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        192⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        193⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        194⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        195⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        196⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        197⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        198⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        199⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        200⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        201⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        202⤵
        
        PID:244
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        203⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        204⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        205⤵
        
        PID:624
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        206⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        207⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        208⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        209⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        210⤵
        
        PID:228
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        211⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        212⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        213⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        214⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        215⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        216⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        217⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        218⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        219⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        220⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        221⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        222⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        223⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        224⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        225⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        226⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        227⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        228⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        229⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        230⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        231⤵
        
        PID:868
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        232⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        233⤵
        
        PID:644
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        234⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        235⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        236⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        237⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        238⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        239⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        240⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        241⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        242⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        243⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        244⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        245⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        246⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        247⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        248⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        249⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        250⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        251⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        252⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        253⤵
        
        PID:628
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        254⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        255⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        256⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        257⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        258⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        259⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        260⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        261⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        262⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        263⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        264⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        265⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        266⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        267⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        268⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        269⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\SysWOW64\symlsrvn.exe"
        270⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\symlsrvn.exe
        
        "C:\Windows\system32\symlsrvn.exe"
        271⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        271⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        271⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        271⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        271⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        271⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        269⤵
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        270⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        269⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        269⤵
        
        PID:3996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        270⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        269⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        269⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        267⤵
        
        PID:724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        267⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        267⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        267⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        267⤵
        
        PID:3152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        268⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        265⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        265⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        265⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        265⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        265⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        263⤵
        
        PID:312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        263⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        263⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        263⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        263⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        261⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        261⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        261⤵
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        262⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        261⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        261⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        259⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        259⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        259⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        259⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        259⤵
        
        PID:1016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        260⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        257⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        257⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        257⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        257⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        257⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        255⤵
        
        PID:936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        255⤵
        
        PID:912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        255⤵
        
        PID:552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        255⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        255⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        253⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        253⤵
        
        PID:4804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        254⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        253⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        253⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        253⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        251⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        251⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        251⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        251⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        251⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        249⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        249⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        249⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        249⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        249⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        247⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        247⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        247⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        247⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        247⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        245⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        245⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        245⤵
        
        PID:2784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        246⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        245⤵
        
        PID:3716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        246⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        245⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        243⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        243⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        243⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        243⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        243⤵
        
        PID:3888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        244⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        241⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        241⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        241⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        241⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        241⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        239⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        239⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        239⤵
        
        PID:644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        239⤵
        
        PID:2660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        240⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        239⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        237⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        237⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        237⤵
        
        PID:3128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        238⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        237⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        237⤵
        
        PID:816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        235⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        235⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        235⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        235⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        235⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        233⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        233⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        233⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        233⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        233⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        231⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        231⤵
        
        PID:312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        231⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        231⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        231⤵
        
        PID:912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        232⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        229⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        229⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        229⤵
        
        PID:716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        229⤵
        
        PID:4340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        230⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        229⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        227⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        227⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        227⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        227⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        227⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        225⤵
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        226⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        225⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        225⤵
        
        PID:448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        225⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        225⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        223⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        223⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        223⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        223⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        223⤵
        
        PID:776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        221⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        221⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        221⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        221⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        221⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        219⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        219⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        219⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        219⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        219⤵
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        220⤵
        
        PID:396
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        217⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        217⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        217⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        217⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        217⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        215⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        215⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        215⤵
        
        PID:3468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        216⤵
        
        PID:372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        215⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        215⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        213⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        213⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        213⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        213⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        213⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        211⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        211⤵
        
        PID:624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        211⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        211⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        211⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        209⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        209⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        209⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        209⤵
        
        PID:3272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        210⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        209⤵
        
        PID:2496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        210⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        207⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        207⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        207⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        207⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        207⤵
        
        PID:312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        205⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        205⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        205⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        205⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        205⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        203⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        203⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        203⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        203⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        203⤵
        
        PID:1616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        204⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        201⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        201⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        201⤵
        
        PID:640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        201⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        201⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        199⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        199⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        199⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        199⤵
        
        PID:3168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        199⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        197⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        197⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        197⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        197⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        197⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        195⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        195⤵
        
        PID:1840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        195⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        195⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        195⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        193⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        193⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        193⤵
        
        PID:2496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        194⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        193⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        193⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        191⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        191⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        191⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        191⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        191⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        189⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        189⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        189⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        189⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        189⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        187⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        187⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        187⤵
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        187⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        187⤵
        
        PID:936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        185⤵
        
        PID:376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        185⤵
        
        PID:312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        185⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        185⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        185⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        183⤵
        
        PID:540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        183⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        183⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        183⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        183⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        181⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        181⤵
        
        PID:3384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        181⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        181⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        181⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        179⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        179⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        179⤵
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        179⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        179⤵
        
        PID:3060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        177⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        177⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        177⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        177⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        177⤵
        
        PID:716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        175⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        175⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        175⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        175⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        175⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        173⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        173⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        173⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        173⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        173⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        171⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        171⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        171⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        171⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        171⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        169⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        169⤵
        
        PID:2876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        170⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        169⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        169⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        169⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        167⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        167⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        167⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        167⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        167⤵
        
        PID:116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        165⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        165⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        165⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        165⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        165⤵
        
        PID:684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        163⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        163⤵
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        163⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        163⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        163⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        161⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        161⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        161⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        161⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        161⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        159⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        159⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        159⤵
        
        PID:628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        159⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        159⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        157⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        157⤵
        
        PID:624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        157⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        157⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        157⤵
        
        PID:936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        155⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        155⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        155⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        155⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        155⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        153⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        153⤵
        
        PID:228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        153⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        153⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        153⤵
        
        PID:116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        151⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        151⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        151⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        151⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        151⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        149⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        149⤵
        
        PID:1688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        149⤵
        
        PID:4992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        149⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        149⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        147⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        147⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        147⤵
        
        PID:440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        147⤵
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        147⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        145⤵
        
        PID:856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        145⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        145⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        145⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        145⤵
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        143⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        143⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        143⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        143⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        143⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        141⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        141⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        141⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        141⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        141⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        139⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        139⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        139⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        139⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        139⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        137⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        137⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        137⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        137⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        137⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        135⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        135⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        135⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        135⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        135⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        133⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        133⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        133⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        133⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        133⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        131⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        131⤵
        
        PID:776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        131⤵
        
        PID:552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        131⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        131⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        129⤵
        
        PID:3272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        129⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        129⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        129⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        129⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        127⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        127⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        127⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        127⤵
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        127⤵
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        125⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        125⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        125⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        125⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        125⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        123⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        123⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        123⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        123⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        123⤵
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        121⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        121⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        121⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        121⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        121⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        119⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        119⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        119⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        119⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        119⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        117⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        117⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        117⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        117⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        117⤵
        
        PID:856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        115⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        115⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        115⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        115⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        115⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        113⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        113⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        113⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        113⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        113⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        111⤵
        
        PID:1368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        111⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        111⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        111⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        111⤵
        
        PID:312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        109⤵
        
        PID:1604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        109⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        109⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        109⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        109⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        107⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        107⤵
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        107⤵
        
        PID:372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        107⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        107⤵
        
        PID:2536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        105⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        105⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        105⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        105⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        105⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        103⤵
        
        PID:3712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        103⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        103⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        103⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        103⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        101⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        101⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        101⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        101⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        101⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        99⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        99⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        99⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        99⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        99⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        97⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        97⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        97⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        97⤵
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        97⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        95⤵
        
        PID:228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        95⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        95⤵
        
        PID:3132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        95⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        95⤵
        
        PID:4052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        93⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        93⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        93⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        93⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        93⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        91⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        91⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        91⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        91⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        91⤵
        
        PID:244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        89⤵
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        89⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        89⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        89⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        89⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        87⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        87⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        87⤵
        
        PID:2092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        87⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        87⤵
        
        PID:3200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        85⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        85⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        85⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        85⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        85⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        83⤵
        
        PID:5116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        83⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        83⤵
        
        PID:1072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        83⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        83⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        81⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        81⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        81⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        81⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        81⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        79⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        79⤵
        
        PID:856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        79⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        79⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        79⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        77⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        77⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        77⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        77⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        77⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        75⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        75⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        75⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        75⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        75⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        73⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        73⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        73⤵
        
        PID:872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        73⤵
        
        PID:912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        73⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        71⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        71⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        71⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        71⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        71⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        69⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        69⤵
        
        PID:5076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        69⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        69⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        69⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        67⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        67⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        67⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        65⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        65⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        65⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        63⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        63⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        63⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        61⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        61⤵
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        61⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        59⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        59⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        59⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        57⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        57⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        57⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        55⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        55⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        55⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        53⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        53⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        53⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        51⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        51⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        51⤵
        
        PID:4464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        49⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        49⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        49⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:4520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        47⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        47⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        47⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        45⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        45⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        45⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        43⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        43⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        43⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        41⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        41⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        41⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        39⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        39⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        39⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        
        PID:1472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        37⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        37⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        37⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        35⤵
        
        PID:4836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        35⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        35⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        33⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        33⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        33⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        31⤵
        
        PID:724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        31⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        31⤵
        
        PID:812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:1124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        29⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        29⤵
        
        PID:1616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        29⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        
        PID:2076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        27⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        27⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        27⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        25⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        25⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        25⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        23⤵
        
        PID:392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        23⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        23⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        21⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        21⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        21⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        19⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        19⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        19⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        17⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        17⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        17⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        15⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        15⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        15⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        13⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        13⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        13⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        11⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        11⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        11⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        9⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        9⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        9⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        7⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        7⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        7⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:2608
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:920
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        5⤵
        
        PID:3576
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        5⤵
        
        PID:3492
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symlsrvn.exe > nul
        5⤵
        
        PID:1472
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5DF7B6~1.EXE > nul
    3⤵
    PID:4360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2640

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1132

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4428

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\symlsrvn.exe

Filesize
72KB

MD5
5df7b6914058320be1ecac739d32a4a7

SHA1
e4e867c32f36bba89fee537bde7d4c4934a3fe0d

SHA256
7451988910c8306e03cf10cebb4099cb360cf45685a175d67022cedb90be36a3

SHA512
3bfa6518383aa4a60caf27d363481b95e73f1aa7c40b615b025304d337711b82b7d78e1dd3c8e669bbaf25ebaeb0955e6f9aeda47a0eef93b81a1483d3fabf4b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
10KB

MD5
eb3e22f3c34d04f91f4a09f424d5e6e2

SHA1
266d7a91a081e37ffa70db048abd6936efa06f51

SHA256
13d0dda001d183c97c40c0b65b072b7fda09fcc4cc069f20e9a5b88242ed3df1

SHA512
8e6ffba5faafb05fc6690e0a61e14d1984fd7f5b2c2db31dc472c4c248fdd63cdc515cbd5f9794fc6d8e53db323cabd10e4d71350777d5866a1aeb0d7641c6da

Download Submit
memory/244-73-0x00000000150E0000-0x00000000150F9000-memory.dmp

Filesize
100KB

Download
memory/384-123-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/700-87-0x00000000150E0000-0x00000000150F9000-memory.dmp

Filesize
100KB

Download
memory/1576-147-0x00000000150E0000-0x00000000150F9000-memory.dmp

Filesize
100KB

Download
memory/2092-135-0x00000000150E0000-0x00000000150F9000-memory.dmp

Filesize
100KB

Download
memory/2332-86-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/2640-111-0x00000000150E0000-0x00000000150F9000-memory.dmp

Filesize
100KB

Download
memory/2656-4-0x00000000150E0000-0x00000000150F9000-memory.dmp

Filesize
100KB

Download
memory/2828-5-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/2828-0-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/2828-2-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/2828-1-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/2984-122-0x00000000150E0000-0x00000000150F9000-memory.dmp

Filesize
100KB

Download
memory/3680-146-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/4820-110-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/4876-134-0x00000000150E0000-0x00000000150ED000-memory.dmp

Filesize
52KB

Download
memory/5060-98-0x00000000150E0000-0x00000000150F9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads