94a2ec7f9b4a6dca1d1c4f33a2c3bcc6d3f667867c37b03e11f3d07ec78e7f90

Analysis

max time kernel
135s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Size

71KB
MD5

a3cdde4d17de1505f31cf6df00caf1ad
SHA1

2b39f4bf2a70ca0ca57f280cf07c2c835a3663e6
SHA256

94a2ec7f9b4a6dca1d1c4f33a2c3bcc6d3f667867c37b03e11f3d07ec78e7f90
SHA512

0b7c25e0a3f73aef5bbc369c8f71dbfe5f1f5ec0ad797b5bf53a9034441d7cad6053d3f2b2bfae372cbeaa51016ae7e35ab13d39144087ba7f471f96c63d123a
SSDEEP

768:+Lz1vSXs4nsmGEx8wf0jKaH/crbPMZlHSuJKtmG387GUUQB6WDbi6aefhejSXf0P:+Lzws4mExBqEIHTJKESqni6aicSXRK

Score

8^/10

defense_evasion discovery evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 51 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	symsnreg.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File created	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	symsnreg.exe

Checks computer location settings 2 TTPs 51 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	symsnreg.exe

Executes dropped EXE 64 IoCs

pid	Process
4940	symsnreg.exe
1368	symsnreg.exe
4584	symsnreg.exe
4960	symsnreg.exe
2200	symsnreg.exe
2788	symsnreg.exe
4444	symsnreg.exe
5036	symsnreg.exe
3284	symsnreg.exe
4640	symsnreg.exe
4420	symsnreg.exe
3908	symsnreg.exe
4488	symsnreg.exe
4308	symsnreg.exe
3212	symsnreg.exe
5124	symsnreg.exe
5380	symsnreg.exe
5480	symsnreg.exe
5680	symsnreg.exe
5784	symsnreg.exe
6068	symsnreg.exe
4484	symsnreg.exe
5780	symsnreg.exe
6084	symsnreg.exe
5780	symsnreg.exe
6240	symsnreg.exe
6508	symsnreg.exe
6608	symsnreg.exe
6896	symsnreg.exe
7000	symsnreg.exe
6260	symsnreg.exe
6636	symsnreg.exe
6176	symsnreg.exe
7204	symsnreg.exe
7424	symsnreg.exe
7520	symsnreg.exe
7736	symsnreg.exe
7844	symsnreg.exe
8072	symsnreg.exe
8184	symsnreg.exe
7588	symsnreg.exe
7904	symsnreg.exe
8044	symsnreg.exe
8288	symsnreg.exe
8504	symsnreg.exe
8592	symsnreg.exe
8848	symsnreg.exe
8936	symsnreg.exe
9176	symsnreg.exe
8244	symsnreg.exe
8596	symsnreg.exe
9092	symsnreg.exe
9232	symsnreg.exe
9328	symsnreg.exe
9560	symsnreg.exe
9668	symsnreg.exe
9892	symsnreg.exe
9988	symsnreg.exe
10212	symsnreg.exe
9316	symsnreg.exe
10100	symsnreg.exe
10216	symsnreg.exe
10468	symsnreg.exe
10588	symsnreg.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Symantec Registry Server = "symsnreg.exe"	symsnreg.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File opened for modification	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe
File created	C:\Windows\SysWOW64\symsnreg.exe	symsnreg.exe

Suspicious use of SetThreadContext 52 IoCs

description	pid	Process	procid_target
PID 1852 set thread context of 60	1852	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	86
PID 4940 set thread context of 1368	4940	symsnreg.exe	94
PID 4584 set thread context of 4960	4584	symsnreg.exe	108
PID 2200 set thread context of 2788	2200	symsnreg.exe	119
PID 4444 set thread context of 5036	4444	symsnreg.exe	135
PID 3284 set thread context of 4640	3284	symsnreg.exe	147
PID 4420 set thread context of 3908	4420	symsnreg.exe	160
PID 4488 set thread context of 4308	4488	symsnreg.exe	169
PID 3212 set thread context of 5124	3212	symsnreg.exe	180
PID 5380 set thread context of 5480	5380	symsnreg.exe	194
PID 5680 set thread context of 5784	5680	symsnreg.exe	206
PID 6068 set thread context of 4484	6068	symsnreg.exe	218
PID 5780 set thread context of 6084	5780	symsnreg.exe	232
PID 5780 set thread context of 6240	5780	symsnreg.exe	245
PID 6508 set thread context of 6608	6508	symsnreg.exe	256
PID 6896 set thread context of 7000	6896	symsnreg.exe	270
PID 6260 set thread context of 6636	6260	symsnreg.exe	283
PID 6176 set thread context of 7204	6176	symsnreg.exe	296
PID 7424 set thread context of 7520	7424	symsnreg.exe	307
PID 7736 set thread context of 7844	7736	symsnreg.exe	319
PID 8072 set thread context of 8184	8072	symsnreg.exe	331
PID 7588 set thread context of 7904	7588	symsnreg.exe	341
PID 8044 set thread context of 8288	8044	symsnreg.exe	356
PID 8504 set thread context of 8592	8504	symsnreg.exe	367
PID 8848 set thread context of 8936	8848	symsnreg.exe	379
PID 9176 set thread context of 8244	9176	symsnreg.exe	392
PID 8596 set thread context of 9092	8596	symsnreg.exe	403
PID 9232 set thread context of 9328	9232	symsnreg.exe	416
PID 9560 set thread context of 9668	9560	symsnreg.exe	429
PID 9892 set thread context of 9988	9892	symsnreg.exe	440
PID 10212 set thread context of 9316	10212	symsnreg.exe	452
PID 10100 set thread context of 10216	10100	symsnreg.exe	463
PID 10468 set thread context of 10588	10468	symsnreg.exe	478
PID 10804 set thread context of 10860	10804	symsnreg.exe	486
PID 11128 set thread context of 11216	11128	symsnreg.exe	501
PID 10468 set thread context of 10804	10468	symsnreg.exe	513
PID 9412 set thread context of 11360	9412	symsnreg.exe	526
PID 11580 set thread context of 11676	11580	symsnreg.exe	537
PID 11896 set thread context of 11948	11896	symsnreg.exe	546
PID 12212 set thread context of 10488	12212	symsnreg.exe	560
PID 11748 set thread context of 12116	11748	symsnreg.exe	574
PID 11964 set thread context of 12308	11964	symsnreg.exe	586
PID 12520 set thread context of 12580	12520	symsnreg.exe	595
PID 12808 set thread context of 12860	12808	symsnreg.exe	605
PID 13124 set thread context of 13220	13124	symsnreg.exe	621
PID 12528 set thread context of 12640	12528	symsnreg.exe	634
PID 1400 set thread context of 12984	1400	symsnreg.exe	686
PID 13472 set thread context of 13552	13472	symsnreg.exe	656
PID 13788 set thread context of 13884	13788	symsnreg.exe	670
PID 14112 set thread context of 14216	14112	symsnreg.exe	682
PID 13536 set thread context of 13628	13536	symsnreg.exe	694
PID 14320 set thread context of 13672	14320	symsnreg.exe	699

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	symsnreg.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	symsnreg.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1368	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4960	symsnreg.exe
Token: SeIncBasePriorityPrivilege	2788	symsnreg.exe
Token: SeIncBasePriorityPrivilege	5036	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4640	symsnreg.exe
Token: SeIncBasePriorityPrivilege	3908	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4308	symsnreg.exe
Token: SeIncBasePriorityPrivilege	5124	symsnreg.exe
Token: SeIncBasePriorityPrivilege	5480	symsnreg.exe
Token: SeIncBasePriorityPrivilege	5784	symsnreg.exe
Token: SeIncBasePriorityPrivilege	4484	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6084	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6240	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6608	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7000	symsnreg.exe
Token: SeIncBasePriorityPrivilege	6636	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7204	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7520	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7844	symsnreg.exe
Token: SeIncBasePriorityPrivilege	8184	symsnreg.exe
Token: SeIncBasePriorityPrivilege	7904	symsnreg.exe
Token: SeIncBasePriorityPrivilege	8288	symsnreg.exe
Token: SeIncBasePriorityPrivilege	8592	symsnreg.exe
Token: SeIncBasePriorityPrivilege	8936	symsnreg.exe
Token: SeIncBasePriorityPrivilege	8244	symsnreg.exe
Token: SeIncBasePriorityPrivilege	9092	symsnreg.exe
Token: SeIncBasePriorityPrivilege	9328	symsnreg.exe
Token: SeIncBasePriorityPrivilege	9668	symsnreg.exe
Token: SeIncBasePriorityPrivilege	9988	symsnreg.exe
Token: SeIncBasePriorityPrivilege	9316	symsnreg.exe
Token: SeIncBasePriorityPrivilege	10216	symsnreg.exe
Token: SeIncBasePriorityPrivilege	10588	symsnreg.exe
Token: SeIncBasePriorityPrivilege	10860	symsnreg.exe
Token: SeIncBasePriorityPrivilege	11216	symsnreg.exe
Token: SeIncBasePriorityPrivilege	10804	symsnreg.exe
Token: SeIncBasePriorityPrivilege	11360	symsnreg.exe
Token: SeIncBasePriorityPrivilege	11676	symsnreg.exe
Token: SeIncBasePriorityPrivilege	11948	symsnreg.exe
Token: SeIncBasePriorityPrivilege	10488	symsnreg.exe
Token: SeIncBasePriorityPrivilege	12116	symsnreg.exe
Token: SeIncBasePriorityPrivilege	12308	symsnreg.exe
Token: SeIncBasePriorityPrivilege	12580	symsnreg.exe
Token: SeIncBasePriorityPrivilege	12860	symsnreg.exe
Token: SeIncBasePriorityPrivilege	13220	symsnreg.exe
Token: SeIncBasePriorityPrivilege	12640	symsnreg.exe
Token: SeIncBasePriorityPrivilege	12984	symsnreg.exe
Token: SeIncBasePriorityPrivilege	13552	symsnreg.exe
Token: SeIncBasePriorityPrivilege	13884	symsnreg.exe
Token: SeIncBasePriorityPrivilege	14216	symsnreg.exe
Token: SeIncBasePriorityPrivilege	13628	symsnreg.exe
Token: SeCreateGlobalPrivilege	1276	dwm.exe
Token: SeChangeNotifyPrivilege	1276	dwm.exe
Token: 33	1276	dwm.exe
Token: SeIncBasePriorityPrivilege	1276	dwm.exe
Token: SeShutdownPrivilege	1276	dwm.exe
Token: SeCreatePagefilePrivilege	1276	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 60	1852	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	86
PID 1852 wrote to memory of 60	1852	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	86
PID 1852 wrote to memory of 60	1852	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	86
PID 1852 wrote to memory of 60	1852	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	86
PID 1852 wrote to memory of 60	1852	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	86
PID 1852 wrote to memory of 60	1852	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	86
PID 1852 wrote to memory of 60	1852	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	86
PID 1852 wrote to memory of 60	1852	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	86
PID 60 wrote to memory of 4940	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	89
PID 60 wrote to memory of 4940	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	89
PID 60 wrote to memory of 4940	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	89
PID 60 wrote to memory of 1116	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	90
PID 60 wrote to memory of 1116	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	90
PID 60 wrote to memory of 1116	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	90
PID 60 wrote to memory of 4908	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	91
PID 60 wrote to memory of 4908	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	91
PID 60 wrote to memory of 4908	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	91
PID 60 wrote to memory of 4884	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	92
PID 60 wrote to memory of 4884	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	92
PID 60 wrote to memory of 4884	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	92
PID 60 wrote to memory of 224	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	93
PID 60 wrote to memory of 224	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	93
PID 60 wrote to memory of 224	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	93
PID 4940 wrote to memory of 1368	4940	symsnreg.exe	94
PID 4940 wrote to memory of 1368	4940	symsnreg.exe	94
PID 4940 wrote to memory of 1368	4940	symsnreg.exe	94
PID 60 wrote to memory of 4456	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	95
PID 60 wrote to memory of 4456	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	95
PID 60 wrote to memory of 4456	60	a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe	95
PID 4940 wrote to memory of 1368	4940	symsnreg.exe	94
PID 4940 wrote to memory of 1368	4940	symsnreg.exe	94
PID 4940 wrote to memory of 1368	4940	symsnreg.exe	94
PID 4940 wrote to memory of 1368	4940	symsnreg.exe	94
PID 4940 wrote to memory of 1368	4940	symsnreg.exe	94
PID 1368 wrote to memory of 4584	1368	symsnreg.exe	101
PID 1368 wrote to memory of 4584	1368	symsnreg.exe	101
PID 1368 wrote to memory of 4584	1368	symsnreg.exe	101
PID 1368 wrote to memory of 3640	1368	symsnreg.exe	102
PID 1368 wrote to memory of 3640	1368	symsnreg.exe	102
PID 1368 wrote to memory of 3640	1368	symsnreg.exe	102
PID 1368 wrote to memory of 3036	1368	symsnreg.exe	103
PID 1368 wrote to memory of 3036	1368	symsnreg.exe	103
PID 1368 wrote to memory of 3036	1368	symsnreg.exe	103
PID 1368 wrote to memory of 3868	1368	symsnreg.exe	104
PID 1368 wrote to memory of 3868	1368	symsnreg.exe	104
PID 1368 wrote to memory of 3868	1368	symsnreg.exe	104
PID 1368 wrote to memory of 4580	1368	symsnreg.exe	105
PID 1368 wrote to memory of 4580	1368	symsnreg.exe	105
PID 1368 wrote to memory of 4580	1368	symsnreg.exe	105
PID 1368 wrote to memory of 4472	1368	symsnreg.exe	106
PID 1368 wrote to memory of 4472	1368	symsnreg.exe	106
PID 1368 wrote to memory of 4472	1368	symsnreg.exe	106
PID 4584 wrote to memory of 4960	4584	symsnreg.exe	108
PID 4584 wrote to memory of 4960	4584	symsnreg.exe	108
PID 4584 wrote to memory of 4960	4584	symsnreg.exe	108
PID 4584 wrote to memory of 4960	4584	symsnreg.exe	108
PID 4584 wrote to memory of 4960	4584	symsnreg.exe	108
PID 4584 wrote to memory of 4960	4584	symsnreg.exe	108
PID 4584 wrote to memory of 4960	4584	symsnreg.exe	108
PID 4584 wrote to memory of 4960	4584	symsnreg.exe	108
PID 4960 wrote to memory of 2200	4960	symsnreg.exe	113
PID 4960 wrote to memory of 2200	4960	symsnreg.exe	113
PID 4960 wrote to memory of 2200	4960	symsnreg.exe	113
PID 4960 wrote to memory of 1004	4960	symsnreg.exe	114

C:\Users\Admin\AppData\Local\Temp\a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a3cdde4d17de1505f31cf6df00caf1ad_JaffaCakes118.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Checks computer location settings
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\symsnreg.exe
    "C:\Windows\system32\symsnreg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\SysWOW64\symsnreg.exe
      "C:\Windows\SysWOW64\symsnreg.exe"
      4⤵
      Disables RegEdit via registry modification
      Drops file in Drivers directory
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        6⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2200
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        8⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4444
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        10⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3284
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        12⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        14⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4488
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        16⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3212
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        18⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5124
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5380
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        20⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5480
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5680
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        22⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5784
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6068
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        24⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5780
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        26⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6084
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        28⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6240
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6508
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        30⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6608
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6896
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        32⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:7000
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6260
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        34⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6636
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6176
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        36⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:7204
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7424
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        38⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:7520
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7736
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        40⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:7844
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:8072
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        42⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:8184
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7588
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        44⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:7904
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:8044
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        46⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:8288
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:8504
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        48⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:8592
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:8848
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        50⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:8936
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:9176
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        52⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:8244
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:8596
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        54⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:9092
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:9232
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        56⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:9328
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:9560
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        58⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:9668
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:9892
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        60⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:9988
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:10212
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        62⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:9316
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:10100
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        64⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:10216
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:10468
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        66⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:10588
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:10804
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        68⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:10860
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:11128
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        70⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:11216
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:10468
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        72⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:10804
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:9412
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        74⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:11360
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:11580
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        76⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:11676
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:11896
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        78⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:11948
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:12212
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        80⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:10488
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:11748
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        82⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:12116
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:11964
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        84⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:12308
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:12520
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        86⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:12580
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        87⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:12808
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        88⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:12860
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:13124
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        90⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:13220
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:12528
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        92⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:12640
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        93⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        94⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:12984
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:13472
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        96⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:13552
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:13788
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        98⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:13884
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:14112
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        100⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:14216
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        101⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:13536
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        102⤵
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:13628
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\system32\symsnreg.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:14320
        
        C:\Windows\SysWOW64\symsnreg.exe
        
        "C:\Windows\SysWOW64\symsnreg.exe"
        104⤵
        
        PID:13672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        101⤵
        
        PID:12984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        101⤵
        
        PID:13584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        101⤵
        
        PID:13576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        101⤵
        
        PID:13548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        101⤵
        
        PID:13608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:14124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        99⤵
        
        PID:14132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        99⤵
        
        PID:14140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        99⤵
        
        PID:14148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        99⤵
        
        PID:14164
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        97⤵
        
        PID:13800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:13808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        97⤵
        
        PID:13816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        97⤵
        
        PID:13824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        97⤵
        
        PID:13840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:13484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        95⤵
        
        PID:13492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        95⤵
        
        PID:13500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        95⤵
        
        PID:13508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        95⤵
        
        PID:13524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        93⤵
        
        PID:13296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        93⤵
        
        PID:12296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        93⤵
        
        PID:12304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        93⤵
        
        PID:12292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        93⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        91⤵
        
        PID:12588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:12808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:12612
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:12524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:12540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        91⤵
        
        PID:12668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        89⤵
        
        PID:13136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        89⤵
        
        PID:13144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        89⤵
        
        PID:13152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        89⤵
        
        PID:13160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        89⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        87⤵
        
        PID:12824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        87⤵
        
        PID:12832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:12840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        87⤵
        
        PID:12848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        87⤵
        
        PID:12872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        85⤵
        
        PID:12532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        85⤵
        
        PID:12544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:12552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        85⤵
        
        PID:12560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:12572
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        83⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        83⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        83⤵
        
        PID:12284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:12156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        83⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:11980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        81⤵
        
        PID:11996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        81⤵
        
        PID:12004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        81⤵
        
        PID:11968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:11940
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        79⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        79⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        79⤵
        
        PID:12240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        79⤵
        
        PID:12248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        79⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:11908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        77⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        77⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:11932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        77⤵
        
        PID:11956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        75⤵
        
        PID:11592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        75⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:11608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:11616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        75⤵
        
        PID:11632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        73⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:11284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        73⤵
        
        PID:11292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        73⤵
        
        PID:11300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        73⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        71⤵
        
        PID:10856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        71⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        71⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:10720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:10876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        69⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        69⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        69⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        69⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:11180
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        67⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        67⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        67⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        65⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:10516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        65⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        63⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        63⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        63⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        61⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:8588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:9184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        59⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        59⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        59⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        57⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        57⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        57⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        55⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        55⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        55⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:8948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        53⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        53⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:8860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:9196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        51⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        51⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        51⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        49⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        49⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:8904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        47⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        47⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        47⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        45⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        45⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:8236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:7640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        43⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        43⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:8104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        41⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        41⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        41⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        39⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        39⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        39⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:7440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        37⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        37⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        37⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        35⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        35⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        35⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:6316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        33⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:6324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:6920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        31⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        31⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        31⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:6548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        29⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        29⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        29⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        27⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        27⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        27⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        25⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        25⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        25⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        23⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        23⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        23⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        21⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        21⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        21⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        19⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        19⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        19⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        17⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        17⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        17⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        15⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        15⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        13⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        13⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        13⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        11⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        11⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        9⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        9⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        7⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        7⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        7⤵
        
        PID:2528
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:3640
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
        5⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
        5⤵
        
        PID:4580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\symsnreg.exe > nul
        5⤵
        
        PID:4472
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A3CDDE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4456

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\symsnreg.exe

Filesize
71KB

MD5
a3cdde4d17de1505f31cf6df00caf1ad

SHA1
2b39f4bf2a70ca0ca57f280cf07c2c835a3663e6

SHA256
94a2ec7f9b4a6dca1d1c4f33a2c3bcc6d3f667867c37b03e11f3d07ec78e7f90

SHA512
0b7c25e0a3f73aef5bbc369c8f71dbfe5f1f5ec0ad797b5bf53a9034441d7cad6053d3f2b2bfae372cbeaa51016ae7e35ab13d39144087ba7f471f96c63d123a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
8KB

MD5
a7301e28065d05b884ca76c1bb28f716

SHA1
d95ffd2c1a3d01d016c6c344e025e206a254af23

SHA256
b61f5f810df3304ce4c0c9cd73f5a55e5815f94cd968a398542cd5de0b626e55

SHA512
db570978b7264e12648c39c853f6e3697692a7175edcb27f5b268492fb0c0d31b04f4dfa40bc4373e9cddb4d7e771d15512c13f7bf17c91843562c0de71d2d07

Download Submit
memory/60-2-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/60-1-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/60-5-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/60-0-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/1852-4-0x0000000000050000-0x0000000000069000-memory.dmp

Filesize
100KB

Download
memory/2200-98-0x0000000000050000-0x0000000000069000-memory.dmp

Filesize
100KB

Download
memory/3284-122-0x0000000000050000-0x0000000000069000-memory.dmp

Filesize
100KB

Download
memory/4420-133-0x0000000000050000-0x0000000000069000-memory.dmp

Filesize
100KB

Download
memory/4444-110-0x0000000000050000-0x0000000000069000-memory.dmp

Filesize
100KB

Download
memory/4488-147-0x0000000000050000-0x0000000000069000-memory.dmp

Filesize
100KB

Download
memory/4584-86-0x0000000000050000-0x0000000000069000-memory.dmp

Filesize
100KB

Download
memory/4940-75-0x0000000000050000-0x0000000000069000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads