94a2ec7f9b4a6dca1d1c4f33a2c3bcc6d3f667867c37b03e11f3d07ec78e7f90

Analysis

max time kernel
32s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Size

71KB
MD5

a3cdde4d17de1505f31cf6df00caf1ad
SHA1

2b39f4bf2a70ca0ca57f280cf07c2c835a3663e6
SHA256

94a2ec7f9b4a6dca1d1c4f33a2c3bcc6d3f667867c37b03e11f3d07ec78e7f90
SHA512

0b7c25e0a3f73aef5bbc369c8f71dbfe5f1f5ec0ad797b5bf53a9034441d7cad6053d3f2b2bfae372cbeaa51016ae7e35ab13d39144087ba7f471f96c63d123a
SSDEEP

768:+Lz1vSXs4nsmGEx8wf0jKaH/crbPMZlHSuJKtmG387GUUQB6WDbi6aefhejSXf0P:+Lzws4mExBqEIHTJKESqni6aicSXRK

Score

8^/10

defense_evasion discovery evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe

Executes dropped EXE 64 IoCs

pid	Process
2712	symsnreg.exe
2832	symsnreg.exe
2180	symsnreg.exe
1368	symsnreg.exe
1216	symsnreg.exe
2288	symsnreg.exe
3000	symsnreg.exe
2204	symsnreg.exe
2304	symsnreg.exe
2988	symsnreg.exe
1732	symsnreg.exe
3032	symsnreg.exe
2060	symsnreg.exe
2928	symsnreg.exe
2492	symsnreg.exe
408	symsnreg.exe
2940	symsnreg.exe
2408	symsnreg.exe
3024	symsnreg.exe
1820	symsnreg.exe
1840	symsnreg.exe
2252	symsnreg.exe
2132	symsnreg.exe
2876	symsnreg.exe
1808	symsnreg.exe
944	symsnreg.exe
692	symsnreg.exe
3148	symsnreg.exe
3256	symsnreg.exe
3376	symsnreg.exe
3512	symsnreg.exe
3580	symsnreg.exe
3692	symsnreg.exe
3824	symsnreg.exe
3968	symsnreg.exe
4036	symsnreg.exe
3160	symsnreg.exe
3348	symsnreg.exe
3600	symsnreg.exe
3688	symsnreg.exe
3968	symsnreg.exe
4076	symsnreg.exe
3460	symsnreg.exe
3604	symsnreg.exe
3656	symsnreg.exe
3664	symsnreg.exe
4024	symsnreg.exe
4176	symsnreg.exe
4300	symsnreg.exe
4428	symsnreg.exe
4548	symsnreg.exe
4616	symsnreg.exe
4764	symsnreg.exe
4820	symsnreg.exe
5012	symsnreg.exe
5020	symsnreg.exe
4380	symsnreg.exe
4436	symsnreg.exe
4660	symsnreg.exe
4808	symsnreg.exe
4116	symsnreg.exe
4212	symsnreg.exe
4932	symsnreg.exe
5060	symsnreg.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe

Loads dropped DLL 64 IoCs

pid	Process
2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
2712	symsnreg.exe
2832	symsnreg.exe
2832	symsnreg.exe
2180	symsnreg.exe
1368	symsnreg.exe
1368	symsnreg.exe
2288	symsnreg.exe
2288	symsnreg.exe
2204	symsnreg.exe
2204	symsnreg.exe
2988	symsnreg.exe
2988	symsnreg.exe
3032	symsnreg.exe
3032	symsnreg.exe
2928	symsnreg.exe
2928	symsnreg.exe
408	symsnreg.exe
408	symsnreg.exe
2408	symsnreg.exe
2408	symsnreg.exe
1820	symsnreg.exe
1820	symsnreg.exe
2252	symsnreg.exe
2252	symsnreg.exe
2876	symsnreg.exe
2876	symsnreg.exe
944	symsnreg.exe
944	symsnreg.exe
3148	symsnreg.exe
3148	symsnreg.exe
3376	symsnreg.exe
3376	symsnreg.exe
3580	symsnreg.exe
3580	symsnreg.exe
3824	symsnreg.exe
3824	symsnreg.exe
4036	symsnreg.exe
4036	symsnreg.exe
3348	symsnreg.exe
3348	symsnreg.exe
3688	symsnreg.exe
3688	symsnreg.exe
4076	symsnreg.exe
4076	symsnreg.exe
3604	symsnreg.exe
3604	symsnreg.exe
3664	symsnreg.exe
3664	symsnreg.exe
4176	symsnreg.exe
4176	symsnreg.exe
4428	symsnreg.exe
4428	symsnreg.exe
4616	symsnreg.exe
4616	symsnreg.exe
4820	symsnreg.exe
4820	symsnreg.exe
5020	symsnreg.exe
5020	symsnreg.exe
4436	symsnreg.exe
4436	symsnreg.exe
4808	symsnreg.exe
4808	symsnreg.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	Process not Found
File created	C:\Windows\SysWOW64\symsnreg.exe	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	Process not Found
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2544 set thread context of 2400	2544	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	30
PID 2712 set thread context of 2832	2712	symsnreg.exe	32
PID 2180 set thread context of 1368	2180	symsnreg.exe	48
PID 1216 set thread context of 2288	1216	symsnreg.exe	56
PID 3000 set thread context of 2204	3000	symsnreg.exe	68
PID 2304 set thread context of 2988	2304	symsnreg.exe	85
PID 1732 set thread context of 3032	1732	symsnreg.exe	92
PID 2060 set thread context of 2928	2060	symsnreg.exe	110
PID 2492 set thread context of 408	2492	symsnreg.exe	123
PID 2940 set thread context of 2408	2940	symsnreg.exe	168
PID 3024 set thread context of 1820	3024	symsnreg.exe	144
PID 1840 set thread context of 2252	1840	symsnreg.exe	152
PID 2132 set thread context of 2876	2132	symsnreg.exe	169
PID 1808 set thread context of 944	1808	symsnreg.exe	280
PID 692 set thread context of 3148	692	symsnreg.exe	197
PID 3256 set thread context of 3376	3256	symsnreg.exe	208
PID 3512 set thread context of 3580	3512	symsnreg.exe	217
PID 3692 set thread context of 3824	3692	symsnreg.exe	232
PID 3968 set thread context of 4036	3968	symsnreg.exe	241
PID 3160 set thread context of 3348	3160	symsnreg.exe	255
PID 3600 set thread context of 3688	3600	symsnreg.exe	265
PID 3968 set thread context of 4076	3968	symsnreg.exe	276
PID 3460 set thread context of 3604	3460	symsnreg.exe	284
PID 3656 set thread context of 3664	3656	symsnreg.exe	303
PID 4024 set thread context of 4176	4024	symsnreg.exe	315
PID 4300 set thread context of 4428	4300	symsnreg.exe	329
PID 4548 set thread context of 4616	4548	symsnreg.exe	337
PID 4764 set thread context of 4820	4764	symsnreg.exe	348
PID 5012 set thread context of 5020	5012	symsnreg.exe	356
PID 4380 set thread context of 4436	4380	symsnreg.exe	375
PID 4660 set thread context of 4808	4660	symsnreg.exe	384
PID 4116 set thread context of 4212	4116	symsnreg.exe	400
PID 4932 set thread context of 5060	4932	symsnreg.exe	410
PID 4932 set thread context of 4472	4932	symsnreg.exe	423
PID 5212 set thread context of 5280	5212	symsnreg.exe	433
PID 5424 set thread context of 5504	5424	symsnreg.exe	445
PID 5652 set thread context of 5704	5652	symsnreg.exe	455
PID 5864 set thread context of 5912	5864	symsnreg.exe	466
PID 6124 set thread context of 4652	6124	symsnreg.exe	480
PID 5404 set thread context of 5556	5404	symsnreg.exe	495
PID 5908 set thread context of 6008	5908	symsnreg.exe	507
PID 5272 set thread context of 5588	5272	symsnreg.exe	521
PID 6032 set thread context of 6040	6032	symsnreg.exe	658
PID 6136 set thread context of 6172	6136	symsnreg.exe	544
PID 6308 set thread context of 6376	6308	symsnreg.exe	553
PID 6520 set thread context of 6612	6520	symsnreg.exe	566
PID 6772 set thread context of 6840	6772	symsnreg.exe	577
PID 6984 set thread context of 7080	6984	symsnreg.exe	590
PID 6168 set thread context of 6268	6168	symsnreg.exe	601
PID 6588 set thread context of 6624	6588	symsnreg.exe	608
PID 6980 set thread context of 7116	6980	symsnreg.exe	625
PID 6416 set thread context of 6744	6416	symsnreg.exe	640
PID 6136 set thread context of 6272	6136	symsnreg.exe	649
PID 6596 set thread context of 7208	6596	symsnreg.exe	665
PID 7316 set thread context of 7396	7316	symsnreg.exe	674
PID 7564 set thread context of 7636	7564	symsnreg.exe	685
PID 7800 set thread context of 7856	7800	symsnreg.exe	697
PID 7988 set thread context of 8080	7988	symsnreg.exe	710
PID 7220 set thread context of 7176	7220	symsnreg.exe	720
PID 7668 set thread context of 7672	7668	symsnreg.exe	728
PID 8000 set thread context of 6736	8000	symsnreg.exe	879
PID 7508 set thread context of 7900	7508	symsnreg.exe	759
PID 7328 set thread context of 7500	7328	symsnreg.exe	771
PID 7304 set thread context of 7212	7304	symsnreg.exe	775

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2832	symsnreg.exe
Token: SeIncBasePriorityPrivilege	1368	symsnreg.exe
Token: SeIncBasePriorityPrivilege	2288	symsnreg.exe
Token: SeIncBasePriorityPrivilege	2204	symsnreg.exe
Token: SeIncBasePriorityPrivilege	2988	symsnreg.exe
Token: SeIncBasePriorityPrivilege	3032	symsnreg.exe
Token: SeIncBasePriorityPrivilege	2928	symsnreg.exe
Token: SeIncBasePriorityPrivilege	408	symsnreg.exe
Token: SeIncBasePriorityPrivilege	2408	symsnreg.exe
Token: SeIncBasePriorityPrivilege	1820	symsnreg.exe
Token: SeIncBasePriorityPrivilege	2252	symsnreg.exe
Token: SeIncBasePriorityPrivilege	2876	symsnreg.exe
Token: SeIncBasePriorityPrivilege	944	symsnreg.exe
Token: SeIncBasePriorityPrivilege	3148	symsnreg.exe
Token: SeIncBasePriorityPrivilege	3376	symsnreg.exe
Token: SeIncBasePriorityPrivilege	3580	symsnreg.exe
Token: SeIncBasePriorityPrivilege	3824	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4036	symsnreg.exe
Token: SeIncBasePriorityPrivilege	3348	symsnreg.exe
Token: SeIncBasePriorityPrivilege	3688	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4076	symsnreg.exe
Token: SeIncBasePriorityPrivilege	3604	symsnreg.exe
Token: SeIncBasePriorityPrivilege	3664	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4176	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4428	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4616	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4820	symsnreg.exe
Token: SeIncBasePriorityPrivilege	5020	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4436	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4808	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4212	symsnreg.exe
Token: SeIncBasePriorityPrivilege	5060	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4472	symsnreg.exe
Token: SeIncBasePriorityPrivilege	5280	symsnreg.exe
Token: SeIncBasePriorityPrivilege	5504	symsnreg.exe
Token: SeIncBasePriorityPrivilege	5704	symsnreg.exe
Token: SeIncBasePriorityPrivilege	5912	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4652	symsnreg.exe
Token: SeIncBasePriorityPrivilege	5556	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6008	symsnreg.exe
Token: SeIncBasePriorityPrivilege	5588	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6040	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6172	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6376	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6612	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6840	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7080	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6268	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6624	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7116	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6744	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6272	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7208	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7396	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7636	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7856	symsnreg.exe
Token: SeIncBasePriorityPrivilege	8080	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7176	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7672	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6736	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7900	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7500	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7212	symsnreg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2400	2544	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2400	2544	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2400	2544	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2400	2544	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2400	2544	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2400	2544	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2400	2544	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2400	2544	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2400	2544	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2712	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2712	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2712	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2712	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2832	2712	symsnreg.exe	32
PID 2712 wrote to memory of 2832	2712	symsnreg.exe	32
PID 2712 wrote to memory of 2832	2712	symsnreg.exe	32
PID 2712 wrote to memory of 2832	2712	symsnreg.exe	32
PID 2712 wrote to memory of 2832	2712	symsnreg.exe	32
PID 2712 wrote to memory of 2832	2712	symsnreg.exe	32
PID 2712 wrote to memory of 2832	2712	symsnreg.exe	32
PID 2712 wrote to memory of 2832	2712	symsnreg.exe	32
PID 2712 wrote to memory of 2832	2712	symsnreg.exe	32
PID 2400 wrote to memory of 2788	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2788	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2788	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2788	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2764	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2764	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2764	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2764	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2636	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2636	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2636	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2636	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2780	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	37
PID 2400 wrote to memory of 2780	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	37
PID 2400 wrote to memory of 2780	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	37
PID 2400 wrote to memory of 2780	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	37
PID 2400 wrote to memory of 2120	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	38
PID 2400 wrote to memory of 2120	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	38
PID 2400 wrote to memory of 2120	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	38
PID 2400 wrote to memory of 2120	2400	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	38
PID 2832 wrote to memory of 2180	2832	symsnreg.exe	139
PID 2832 wrote to memory of 2180	2832	symsnreg.exe	139
PID 2832 wrote to memory of 2180	2832	symsnreg.exe	139
PID 2832 wrote to memory of 2180	2832	symsnreg.exe	139
PID 2832 wrote to memory of 2100	2832	symsnreg.exe	44
PID 2832 wrote to memory of 2100	2832	symsnreg.exe	44
PID 2832 wrote to memory of 2100	2832	symsnreg.exe	44
PID 2832 wrote to memory of 2100	2832	symsnreg.exe	44
PID 2832 wrote to memory of 1716	2832	symsnreg.exe	45
PID 2832 wrote to memory of 1716	2832	symsnreg.exe	45
PID 2832 wrote to memory of 1716	2832	symsnreg.exe	45
PID 2832 wrote to memory of 1716	2832	symsnreg.exe	45
PID 2832 wrote to memory of 812	2832	symsnreg.exe	46
PID 2832 wrote to memory of 812	2832	symsnreg.exe	46
PID 2832 wrote to memory of 812	2832	symsnreg.exe	46
PID 2832 wrote to memory of 812	2832	symsnreg.exe	46
PID 2832 wrote to memory of 2424	2832	symsnreg.exe	47
PID 2832 wrote to memory of 2424	2832	symsnreg.exe	47
PID 2832 wrote to memory of 2424	2832	symsnreg.exe	47
PID 2832 wrote to memory of 2424	2832	symsnreg.exe	47
PID 2180 wrote to memory of 1368	2180	symsnreg.exe	48
PID 2180 wrote to memory of 1368	2180	symsnreg.exe	48

C:\Users\Admin\AppData\Local\Temp\a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Impair Defenses: Safe Mode Boot
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\symsnreg.exe
    "C:\Windows\system32\symsnreg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\symsnreg.exe
      "C:\Windows\SysWOW64\symsnreg.exe"
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1216
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3000
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        10⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2304
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        14⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2060
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        16⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2492
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        18⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2940
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        20⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3024
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1840
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        24⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2132
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1808
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        28⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:692
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3256
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        32⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3512
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3692
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3968
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        38⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3160
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3600
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3460
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        46⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3656
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        48⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4024
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        50⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4300
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4548
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        54⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4764
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5012
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        58⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4380
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        60⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4660
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4116
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        64⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4932
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        66⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:4932
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        68⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:5212
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        70⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5280
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:5424
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        72⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5504
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:5652
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        74⤵
        Disables RegEdit via registry modification
        Suspicious use of AdjustPrivilegeToken
        
        PID:5704
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:5864
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        76⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5912
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:6124
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        78⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:5404
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        80⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:5556
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:5908
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        82⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:6008
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:5272
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        84⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:5588
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:6032
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        86⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:6040
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:6136
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        88⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6172
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:6308
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        90⤵
        Disables RegEdit via registry modification
        Suspicious use of AdjustPrivilegeToken
        
        PID:6376
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:6520
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        92⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6612
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:6772
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        94⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:6840
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6984
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        96⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:7080
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:6168
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        98⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:6268
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:6588
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        100⤵
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:6624
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        101⤵
        Suspicious use of SetThreadContext
        
        PID:6980
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        102⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:7116
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:6416
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        104⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:6744
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:6136
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        106⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:6272
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        107⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6596
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        108⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:7208
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:7316
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        110⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:7396
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:7564
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        112⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:7636
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        113⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:7800
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        114⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:7856
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        115⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:7988
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        116⤵
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:8080
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:7220
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        118⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:7176
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:7668
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        120⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:7672
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:8000
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        122⤵
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:6736
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:7508
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        124⤵
        Disables RegEdit via registry modification
        Suspicious use of AdjustPrivilegeToken
        
        PID:7900
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        125⤵
        Suspicious use of SetThreadContext
        
        PID:7328
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        126⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:7500
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:7304
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        128⤵
        Drops file in Drivers directory
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7212
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        129⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        130⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:8364
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        131⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        132⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:8640
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        133⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        134⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:8792
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        135⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        136⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:9128
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        137⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        138⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        
        PID:8196
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        139⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        140⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        141⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        142⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        
        PID:9184
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        143⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        144⤵
        Adds Run key to start application
        
        PID:8692
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        145⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        146⤵
        Adds Run key to start application
        
        PID:8880
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        147⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        148⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:9272
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        149⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        150⤵
        Adds Run key to start application
        
        PID:9528
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        151⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        152⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        
        PID:9764
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:9888
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        154⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        
        PID:10004
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        155⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        156⤵
        Adds Run key to start application
        
        PID:10184
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        157⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        158⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:9540
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        159⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        160⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        
        PID:9788
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        161⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        162⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:9204
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:9644
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        164⤵
        Adds Run key to start application
        
        PID:10016
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        165⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        166⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        167⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        168⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:9856
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        169⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        170⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        171⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        172⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:10704
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        173⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        174⤵
        Drops file in Drivers directory
        
        PID:10968
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        175⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        176⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:11168
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        177⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        178⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        
        PID:9204
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        179⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        180⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        
        PID:10440
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:9824
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        182⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        
        PID:9980
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        183⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        184⤵
        Drops file in Drivers directory
        
        PID:11060
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        185⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        186⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:11064
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        187⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        188⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:11492
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        189⤵
        
        PID:11616
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        190⤵
        Drops file in Drivers directory
        
        PID:11744
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        191⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        192⤵
        Adds Run key to start application
        
        PID:11944
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        193⤵
        
        PID:12048
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        194⤵
        
        PID:12140
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        195⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        196⤵
        Adds Run key to start application
        
        PID:11360
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        197⤵
        
        PID:11708
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        198⤵
        Adds Run key to start application
        
        PID:11916
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        199⤵
        
        PID:12080
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        200⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        System Location Discovery: System Language Discovery
        
        PID:12100
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        201⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        202⤵
        Drops file in System32 directory
        
        PID:11520
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        203⤵
        
        PID:11344
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        204⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:11424
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        205⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        206⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:11528
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        207⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        208⤵
        Adds Run key to start application
        
        PID:12528
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        209⤵
        
        PID:12652
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        210⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        
        PID:12772
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        211⤵
        
        PID:12896
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        212⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:12972
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        213⤵
        
        PID:13128
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        214⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:13148
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        215⤵
        
        PID:12364
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        216⤵
        Drops file in System32 directory
        
        PID:12428
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        217⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        218⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        
        PID:12724
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        219⤵
        
        PID:13128
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        220⤵
        Adds Run key to start application
        
        PID:13108
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        221⤵
        
        PID:12588
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        222⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:12760
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        223⤵
        
        PID:12336
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        224⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:13296
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        225⤵
        
        PID:12568
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        226⤵
        Drops file in Drivers directory
        
        PID:13352
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        227⤵
        
        PID:13508
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        228⤵
        Disables RegEdit via registry modification
        
        PID:13596
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        229⤵
        
        PID:13804
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        230⤵
        Disables RegEdit via registry modification
        
        PID:13904
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        231⤵
        
        PID:14032
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        232⤵
        
        PID:14132
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        233⤵
        
        PID:14264
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        234⤵
        Drops file in System32 directory
        
        PID:12968
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        235⤵
        
        PID:13556
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        236⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:13776
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        237⤵
        
        PID:13916
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        238⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        
        PID:14112
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        239⤵
        
        PID:13380
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        240⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:13672
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        241⤵
        
        PID:13808
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        242⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:14136
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        243⤵
        
        PID:13608
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        244⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:13812
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        245⤵
        
        PID:14340
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        246⤵
        Drops file in Drivers directory
        
        PID:14460
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        247⤵
        
        PID:14556
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        248⤵
        Drops file in System32 directory
        
        PID:14680
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        249⤵
        
        PID:14812
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        250⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        
        PID:14956
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        251⤵
        
        PID:15040
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        252⤵
        Disables RegEdit via registry modification
        
        PID:15108
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        253⤵
        
        PID:15272
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        254⤵
        
        PID:14136
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        255⤵
        
        PID:14544
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        256⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:14720
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        257⤵
        
        PID:14816
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        258⤵
        Disables RegEdit via registry modification
        
        PID:14960
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        259⤵
        
        PID:14148
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        260⤵
        Disables RegEdit via registry modification
        
        PID:14796
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        261⤵
        
        PID:15276
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        262⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:15252
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        263⤵
        
        PID:14568
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        264⤵
        Drops file in System32 directory
        
        PID:15388
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        265⤵
        
        PID:15512
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        266⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:15560
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        267⤵
        
        PID:15716
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        268⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        
        PID:15788
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        269⤵
        
        PID:15964
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        270⤵
        
        PID:16076
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        271⤵
        
        PID:16192
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        272⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:16304
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        273⤵
        System Location Discovery: System Language Discovery
        
        PID:14404
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        274⤵
        Drops file in Drivers directory
        
        PID:15496
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        275⤵
        System Location Discovery: System Language Discovery
        
        PID:15704
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        276⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:15808
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        277⤵
        
        PID:16268
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        278⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        
        PID:15376
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        279⤵
        
        PID:14568
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        280⤵
        Drops file in Drivers directory
        
        PID:15944
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        281⤵
        
        PID:16360
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        282⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:16040
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        283⤵
        
        PID:16268
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        284⤵
        
        PID:16052
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        285⤵
        
        PID:16460
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        285⤵
        
        PID:16484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        285⤵
        
        PID:16492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        285⤵
        
        PID:16500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        285⤵
        
        PID:16508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        283⤵
        
        PID:16268
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        283⤵
        
        PID:16060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        283⤵
        
        PID:16036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        283⤵
        
        PID:15588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        283⤵
        
        PID:15484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        281⤵
        
        PID:14620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        281⤵
        
        PID:15508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        281⤵
        
        PID:15460
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        281⤵
        
        PID:15972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        281⤵
        
        PID:15592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        279⤵
        
        PID:15720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        279⤵
        
        PID:15700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        279⤵
        
        PID:15712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        279⤵
        
        PID:15860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        279⤵
        
        PID:15520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        277⤵
        
        PID:16152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        277⤵
        
        PID:16176
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        277⤵
        
        PID:16260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        277⤵
        
        PID:16196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        277⤵
        
        PID:16312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        275⤵
        
        PID:15716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        275⤵
        
        PID:15812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        275⤵
        
        PID:15820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        275⤵
        
        PID:15828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        275⤵
        
        PID:15800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        273⤵
        System Location Discovery: System Language Discovery
        
        PID:15380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        273⤵
        System Location Discovery: System Language Discovery
        
        PID:14452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        273⤵
        
        PID:15404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        273⤵
        
        PID:15416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        273⤵
        
        PID:15400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:16204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        271⤵
        
        PID:16212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        271⤵
        
        PID:16220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        271⤵
        
        PID:16228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        271⤵
        
        PID:16240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        269⤵
        
        PID:15976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        269⤵
        
        PID:15984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        269⤵
        
        PID:15992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        269⤵
        
        PID:16000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        269⤵
        
        PID:16012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        267⤵
        
        PID:15732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        267⤵
        System Location Discovery: System Language Discovery
        
        PID:15740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        267⤵
        
        PID:15748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        267⤵
        
        PID:15756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        267⤵
        
        PID:15768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        265⤵
        
        PID:15524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        265⤵
        
        PID:15532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        265⤵
        
        PID:15540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        265⤵
        
        PID:15548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        265⤵
        
        PID:15568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        263⤵
        
        PID:14812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        263⤵
        
        PID:14804
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        263⤵
        
        PID:14816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        263⤵
        
        PID:14412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        263⤵
        
        PID:15364
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        261⤵
        
        PID:15272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        261⤵
        
        PID:15104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        261⤵
        
        PID:15208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        261⤵
        
        PID:15176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        261⤵
        
        PID:14716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        259⤵
        
        PID:14140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        259⤵
        
        PID:15356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        259⤵
        
        PID:15332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        259⤵
        
        PID:14640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        259⤵
        
        PID:14724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        257⤵
        
        PID:15004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        257⤵
        
        PID:14516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:15044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        257⤵
        
        PID:15124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        257⤵
        
        PID:15136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        255⤵
        
        PID:14552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        255⤵
        
        PID:14520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        255⤵
        
        PID:14536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        255⤵
        
        PID:14688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:14900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        253⤵
        
        PID:15284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:15292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:15300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        253⤵
        
        PID:15308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        253⤵
        
        PID:15336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        251⤵
        
        PID:15052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        251⤵
        
        PID:15060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        251⤵
        
        PID:15068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        251⤵
        
        PID:15076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        251⤵
        
        PID:15168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        249⤵
        
        PID:14824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        249⤵
        
        PID:14832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        249⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        249⤵
        
        PID:14848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        249⤵
        
        PID:14860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        247⤵
        
        PID:14576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        247⤵
        
        PID:14584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        247⤵
        
        PID:14592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        247⤵
        
        PID:14600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        247⤵
        
        PID:14652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        245⤵
        
        PID:14352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        245⤵
        
        PID:14360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        245⤵
        
        PID:14368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        245⤵
        
        PID:14376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        245⤵
        
        PID:14388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        243⤵
        
        PID:14240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        243⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        243⤵
        
        PID:13668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        243⤵
        
        PID:13496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:13436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        241⤵
        
        PID:13936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        241⤵
        
        PID:14004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        241⤵
        
        PID:14188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        241⤵
        
        PID:14072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        241⤵
        
        PID:14260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        239⤵
        
        PID:14264
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        239⤵
        
        PID:13400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        239⤵
        
        PID:12312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        239⤵
        
        PID:12336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        239⤵
        
        PID:13644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        237⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        237⤵
        
        PID:14024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        237⤵
        
        PID:14016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        237⤵
        
        PID:13908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        237⤵
        
        PID:14036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        235⤵
        
        PID:13476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        235⤵
        
        PID:13584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        235⤵
        
        PID:13636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        235⤵
        
        PID:13512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        235⤵
        
        PID:13656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        233⤵
        
        PID:14276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        233⤵
        
        PID:14284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        233⤵
        
        PID:14292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        233⤵
        
        PID:14300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        233⤵
        
        PID:14312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        231⤵
        
        PID:14044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        231⤵
        
        PID:14052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        231⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        231⤵
        
        PID:14076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        231⤵
        
        PID:14088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        229⤵
        
        PID:13816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        229⤵
        
        PID:13824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        229⤵
        
        PID:13832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        229⤵
        
        PID:13848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        229⤵
        
        PID:13868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        227⤵
        
        PID:13524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        227⤵
        
        PID:13532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        227⤵
        
        PID:13540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        227⤵
        
        PID:13548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        227⤵
        
        PID:13560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        225⤵
        
        PID:12792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        225⤵
        
        PID:13300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        225⤵
        
        PID:11632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        225⤵
        
        PID:12900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        225⤵
        
        PID:13332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        223⤵
        
        PID:12588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        223⤵
        
        PID:12824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        223⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        223⤵
        
        PID:12716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        223⤵
        
        PID:12704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        221⤵
        
        PID:12624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        221⤵
        
        PID:12580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        221⤵
        
        PID:12784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        221⤵
        
        PID:12780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        221⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        219⤵
        
        PID:13156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        219⤵
        
        PID:12976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        219⤵
        
        PID:13104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        219⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        219⤵
        
        PID:13188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        217⤵
        
        PID:12740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        217⤵
        
        PID:12600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        217⤵
        
        PID:12752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        217⤵
        
        PID:12992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        217⤵
        
        PID:12872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        215⤵
        
        PID:11952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        215⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        215⤵
        
        PID:12296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        215⤵
        
        PID:12384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        215⤵
        
        PID:12452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        213⤵
        
        PID:13168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        213⤵
        
        PID:13212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        213⤵
        
        PID:13224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        213⤵
        
        PID:13232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        213⤵
        
        PID:13244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        211⤵
        
        PID:12920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        211⤵
        
        PID:12928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:12936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        211⤵
        
        PID:12944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        211⤵
        
        PID:12980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        209⤵
        
        PID:12664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        209⤵
        
        PID:12672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        209⤵
        
        PID:12680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        209⤵
        
        PID:12692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        209⤵
        
        PID:12708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:12472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        207⤵
        
        PID:12480
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        207⤵
        
        PID:12488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        207⤵
        
        PID:12496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        207⤵
        
        PID:12508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        205⤵
        
        PID:11912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        205⤵
        
        PID:11820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        205⤵
        
        PID:12316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        205⤵
        
        PID:12324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        205⤵
        
        PID:12340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        203⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:12208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        203⤵
        
        PID:11272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        203⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        203⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        201⤵
        
        PID:11400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        201⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        201⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        201⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        201⤵
        
        PID:11572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        199⤵
        
        PID:12016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        199⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        199⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        199⤵
        
        PID:12052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        199⤵
        
        PID:12172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        197⤵
        
        PID:11676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        197⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        197⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        197⤵
        
        PID:11580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        197⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        195⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        195⤵
        
        PID:11312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        195⤵
        
        PID:10984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        195⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        195⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        193⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        193⤵
        
        PID:12072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        193⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        193⤵
        
        PID:12092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        193⤵
        
        PID:12112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:11856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        191⤵
        
        PID:11864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        191⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        191⤵
        
        PID:11880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        191⤵
        
        PID:11892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        189⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        189⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        189⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        189⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        189⤵
        
        PID:11680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:11436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        187⤵
        
        PID:11444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        187⤵
        
        PID:11452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        187⤵
        
        PID:11460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        187⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        185⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        185⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        185⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        185⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        185⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:10884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        183⤵
        
        PID:10952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        183⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        183⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        183⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        181⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        181⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        181⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        181⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        181⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        179⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        179⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        179⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        179⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        179⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        177⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:10368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        177⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        177⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        177⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        175⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        175⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        175⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        175⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        175⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        173⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        173⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        173⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        173⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        173⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        171⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        171⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        171⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        171⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        171⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        169⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        169⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        169⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        169⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        169⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        167⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        167⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        167⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        167⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        167⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        165⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        165⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        165⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        165⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:9796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        163⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        163⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        163⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        163⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        163⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        161⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        161⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        161⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        161⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        161⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        159⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        159⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        159⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        159⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        159⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        157⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        157⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        157⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        157⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        157⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        155⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        155⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:10132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        155⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        155⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        153⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        153⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        153⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        153⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        153⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        151⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        151⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        151⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        151⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        151⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        149⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        149⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        149⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        149⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:9492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        147⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        147⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        147⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        147⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        147⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:9160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        145⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        145⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        145⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        145⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        143⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        143⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        143⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        143⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        143⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        141⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        141⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        141⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:8972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        141⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        139⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        139⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        139⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        139⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        139⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        137⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        137⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        137⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        137⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        137⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        135⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        135⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        135⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        135⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        135⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        133⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        133⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        133⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        133⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        133⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        131⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        131⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        131⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:8620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        131⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        129⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        129⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        129⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:8400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        129⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        127⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        127⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        127⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        127⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        127⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        125⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        125⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        125⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        125⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        125⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        123⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        123⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        123⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        123⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        123⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        121⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        121⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        121⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        121⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        121⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        119⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        119⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        119⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        119⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        119⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        117⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        117⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:7248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        117⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        117⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        115⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        115⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        115⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        115⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        115⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        113⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        113⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        113⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        113⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        113⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        111⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        111⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:7596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        111⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        111⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        109⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        109⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        109⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        109⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        109⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        107⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        107⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        107⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        107⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        107⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        105⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        105⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        105⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        105⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        105⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        103⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        103⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        103⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:6296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:6496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        101⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        101⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        101⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        101⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        101⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        99⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        99⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        99⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        99⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        99⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        97⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        97⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:6204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        97⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        97⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        95⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        95⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        95⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        95⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        95⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        93⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        93⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        93⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        93⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:6820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        91⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        91⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        91⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        91⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:6572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        89⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        89⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        89⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        89⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        89⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        87⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        87⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        87⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        87⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        87⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        85⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        85⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        85⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        85⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        83⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        83⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        83⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        83⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        83⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        81⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        81⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        81⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        81⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        79⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        79⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        79⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        79⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        77⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        77⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        77⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        77⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        77⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        75⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        75⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        75⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        75⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        73⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        73⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        73⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        73⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        73⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        71⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        71⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        71⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        71⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        71⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        69⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        69⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        69⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        69⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        67⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        67⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        67⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        65⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        65⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        65⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        63⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        63⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        63⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        61⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        61⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        59⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        59⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        59⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        57⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        57⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        57⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        55⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        55⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        55⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        53⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        53⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        53⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        51⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        51⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        51⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        49⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        49⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        49⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        47⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        47⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        45⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        45⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        45⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        43⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        43⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        43⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        41⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        41⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        41⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        39⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        39⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        39⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        37⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        37⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        37⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        35⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        35⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        35⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        33⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        33⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        33⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        31⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        31⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        31⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        29⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        29⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        29⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        27⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        27⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        27⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        25⤵
        
        PID:268
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        25⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        25⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        23⤵
        
        PID:928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        23⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        21⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        21⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        21⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        19⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        19⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        19⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        17⤵
        
        PID:584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        17⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        17⤵
        
        PID:468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        15⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        15⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        15⤵
        
        PID:832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        13⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        13⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        13⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        11⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        11⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        11⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        9⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        9⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        9⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        7⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        7⤵
        
        PID:380
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:2100
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        5⤵
        
        PID:812
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        5⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        5⤵
        
        PID:1048
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A3CDDE~1.EXE > nul
    3⤵
    PID:2120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2123552581-158486958716094712811929005973-108804789520170279517745185641551499296"
1⤵
PID:3000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "308458502-2137960533-11586110615351494461378307273200168714120952860-1218511351"
1⤵
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-122506525990479902682288817-1754340049-1209994354-6610341741127307959-906831238"
1⤵
PID:2132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-142385128-4401656111962770142558417861423113990-15233168471724406145498260312"
1⤵
PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "874097279-103174309295253661858194082-263147060-15867075481700628002-1768106535"
1⤵
PID:692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4976458241513644384-1690052631112267640118936947901314665427-6742051292092411863"
1⤵
PID:3600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17872228511843973321816681873779578915358962657802401189-948775776276745285"
1⤵
PID:4764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-261808862818760369-2026330104207523115517072341961824242351203814179-1856357113"
1⤵
PID:5212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-238155747-1660667710-231409695-5852651321633956656-118137350211398844761579420687"
1⤵
PID:5404

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1005128063143562971732395262114254810841172780704-266114909-252603446-139040283"
1⤵
PID:5272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2074709243-156131519712454857911473616472202655525110026629641527103889532309070"
1⤵
PID:6588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1383816971979950694-288722328998023132570467572-1428684781-1815220814-198880833"
1⤵
PID:7316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "204854402847711385-838451095-12418664001310635062-656584918-56464235454144141"
1⤵
PID:7668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "397864613821707404-513787422-1244114831-359794174187214688622565229940713600"
1⤵
PID:6596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "298620625-173323096-2077377991671597814626931673206996546-561242869-969878735"
1⤵
PID:8328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "117367559915574744171788512973-1459520549-89345515-697217624404154273-1292681391"
1⤵
PID:7328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-900254456-582512069364418773-1738909569365388137-317327787995552572421685848"
1⤵
PID:9036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "788465139-6324272811643047718-16668466492074835549-20589967971046649265762337321"
1⤵
PID:9656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17620087961587277896-49627559-939352906833122102357292935798303932-1693978035"
1⤵
PID:11060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1268461607-1215404097-1372157353332630403-490989893-2133427713-1446448939-59392728"
1⤵
PID:11616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-146418912398279990-2057841025-11612371206491507-213278494779465557-405257074"
1⤵
PID:11708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-205650364-5938013861462915784196260418319316005192064693287-264062744-1574932059"
1⤵
PID:10724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1905941780-2012899844-130904657-1692914717810436701-5999012611834553061-911246850"
1⤵
PID:12896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1023881127758497299582399420-7025251141399126872-301613633721544598-1743423064"
1⤵
PID:13916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1561882151-1143996911-1056197904-5831220231763860236-1968767634198704317-1009079786"
1⤵
PID:13808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9403497532138644093974333294-410472008-1476122817-264771157-8030778141770633235"
1⤵
PID:13380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "196498334-1814674713450948129-79158799712869382011556126158-165723165-382423124"
1⤵
PID:12568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-244321758-73351263-1503087586-1814668970953316652-8963785451138427760-1920760981"
1⤵
PID:14340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "286927174-1496495722179460614-944035649-1182058518-831895268157865060-1501571084"
1⤵
PID:15512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "303200229-20239616471172653762-1679660967-38374154919409810028138682-1402979529"
1⤵
PID:14568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\drivers\etc\hosts

Filesize
8KB

MD5
a7301e28065d05b884ca76c1bb28f716

SHA1
d95ffd2c1a3d01d016c6c344e025e206a254af23

SHA256
b61f5f810df3304ce4c0c9cd73f5a55e5815f94cd968a398542cd5de0b626e55

SHA512
db570978b7264e12648c39c853f6e3697692a7175edcb27f5b268492fb0c0d31b04f4dfa40bc4373e9cddb4d7e771d15512c13f7bf17c91843562c0de71d2d07

Download Submit
\Windows\SysWOW64\symsnreg.exe

Filesize
71KB

MD5
a3cdde4d17de1505f31cf6df00caf1ad

SHA1
2b39f4bf2a70ca0ca57f280cf07c2c835a3663e6

SHA256
94a2ec7f9b4a6dca1d1c4f33a2c3bcc6d3f667867c37b03e11f3d07ec78e7f90

SHA512
0b7c25e0a3f73aef5bbc369c8f71dbfe5f1f5ec0ad797b5bf53a9034441d7cad6053d3f2b2bfae372cbeaa51016ae7e35ab13d39144087ba7f471f96c63d123a

Download Submit
memory/1216-80-0x0000000000050000-0x0000000000069000-memory.dmp

Filesize
100KB

Download
memory/2180-66-0x0000000000050000-0x0000000000069000-memory.dmp

Filesize
100KB

Download
memory/2400-4-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/2400-0-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/2400-2-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/2400-7-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/2400-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2400-10-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/2400-15-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/2544-14-0x0000000000050000-0x0000000000069000-memory.dmp

Filesize
100KB

Download
memory/2712-42-0x0000000000050000-0x0000000000069000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads