cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
Size

65KB
MD5

19d88235a435a3f2199eabfe427e9c48
SHA1

ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68
SHA256

cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca
SHA512

2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e
SSDEEP

1536:8RkN4xKr7TVkSzODZIC4o91zxeqjD/vaGv9MCNp0nhz:2kCKrFk2C4o91zxP3aGvRNChz

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 59 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgscnr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgscnr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgscnr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashwbsm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgwsvcm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgwsvcm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgwsvcm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgectam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgectam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgupsrvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashwbsm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgapgui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgectam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgemkdr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgupsrvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashmailsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avirarkmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgupsrvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashmailsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashmailsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgwsvcm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	aswupsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgwsvcm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	aswupsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avirarkmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgectam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmsva.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsvam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmsva.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgectam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	aswupsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashmailsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgwsvcm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgscnr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsvam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgectam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgapgui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmsva.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashmailsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgapgui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgapgui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgapgui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashwbsm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsvam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmsva.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgapgui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmsva.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
468	avgwsvcm.exe
1812	avgwsvcm.exe
1980	avgscnr.exe
388	avgscnr.exe
1948	ashmailsrc.exe
1372	ashmailsrc.exe
1416	avirarkmd.exe
1528	avirarkmd.exe
1172	ashwbsm.exe
1952	ashwbsm.exe
1684	avcntlx.exe
1544	avcntlx.exe
1960	avgapgui.exe
1124	avgapgui.exe
944	avgapgui.exe
1048	avgapgui.exe
1756	ashwbsm.exe
1988	ashwbsm.exe
2024	avgmgent.exe
1688	avgmgent.exe
336	avgupsrvc.exe
1188	avgupsrvc.exe
1044	avgupsrvc.exe
1684	avgupsrvc.exe
1132	avgscnr.exe
1960	avgscnr.exe
1176	avgwsvcm.exe
1724	avgwsvcm.exe
960	avgmgent.exe
1564	avgmgent.exe
1580	avgectam.exe
1456	avgectam.exe
900	avgapgui.exe
2020	avgapgui.exe
1980	aswupsrc.exe
1608	aswupsrc.exe
520	avgmgent.exe
1148	avgmgent.exe
1620	avirarkmd.exe
1188	avirarkmd.exe
1976	avgwsvcm.exe
1112	avgwsvcm.exe
1820	avgectam.exe
2036	avgectam.exe
1968	avgmsva.exe
892	avgmsva.exe
1056	avgupsrvc.exe
1956	avgupsrvc.exe
268	avgmgent.exe
2012	avgmgent.exe
336	avgectam.exe
832	avgectam.exe
580	avgwsvcm.exe
2000	avgwsvcm.exe
960	avgmsva.exe
1312	avgmsva.exe
1984	avcntlx.exe
900	avcntlx.exe
1668	avgscnr.exe
2024	avgscnr.exe
2004	avgectam.exe
324	avgectam.exe
1280	ashsdlp.exe
1988	ashsdlp.exe

Deletes itself 1 IoCs

pid	Process
1580	cmd.exe

Loads dropped DLL 64 IoCs

pid	Process
1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
1812	avgwsvcm.exe
1812	avgwsvcm.exe
388	avgscnr.exe
388	avgscnr.exe
1372	ashmailsrc.exe
1372	ashmailsrc.exe
1528	avirarkmd.exe
1528	avirarkmd.exe
1952	ashwbsm.exe
1952	ashwbsm.exe
1544	avcntlx.exe
1544	avcntlx.exe
1124	avgapgui.exe
1124	avgapgui.exe
1048	avgapgui.exe
1048	avgapgui.exe
1988	ashwbsm.exe
1988	ashwbsm.exe
1688	avgmgent.exe
1688	avgmgent.exe
1188	avgupsrvc.exe
1188	avgupsrvc.exe
1684	avgupsrvc.exe
1684	avgupsrvc.exe
1960	avgscnr.exe
1960	avgscnr.exe
1724	avgwsvcm.exe
1724	avgwsvcm.exe
1564	avgmgent.exe
1564	avgmgent.exe
1456	avgectam.exe
1456	avgectam.exe
2020	avgapgui.exe
2020	avgapgui.exe
1608	aswupsrc.exe
1608	aswupsrc.exe
1148	avgmgent.exe
1148	avgmgent.exe
1188	avirarkmd.exe
1188	avirarkmd.exe
1112	avgwsvcm.exe
1112	avgwsvcm.exe
2036	avgectam.exe
2036	avgectam.exe
892	avgmsva.exe
892	avgmsva.exe
1956	avgupsrvc.exe
1956	avgupsrvc.exe
2012	avgmgent.exe
2012	avgmgent.exe
832	avgectam.exe
832	avgectam.exe
2000	avgwsvcm.exe
2000	avgwsvcm.exe
1312	avgmsva.exe
1312	avgmsva.exe
900	avcntlx.exe
900	avcntlx.exe
2024	avgscnr.exe
2024	avgscnr.exe
324	avgectam.exe
324	avgectam.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgmgent.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Security System = "avgwsvcm.exe"	ashmailsrc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus GUI = "avgapgui.exe"	avgscnr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Controller = "avgectam.exe"	ashsvam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avirarkmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgectam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgwsvcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ashwbsm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ashmailsrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Security System = "avgwsvcm.exe"	avgectam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgectam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast AutoBackup Client = "avgmsva.exe"	ashsvam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast AutoBackup Client = "avgmsva.exe"	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Servicer = "ashsvam.exe"	ashsdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Rootkit Remover = "avirarkmd.exe"	ashmailsrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast WebWatch Client = "ashwbsm.exe"	avirarkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Security System = "avgwsvcm.exe"	avgscnr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgwsvcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus GUI = "avgapgui.exe"	avgapgui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast MailWatch Client = "ashmailsrc.exe"	avgscnr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Display Service = "ashsdlp.exe"	ashmailsrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Servicer = "avgupsrvc.exe"	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Display Service = "ashsdlp.exe"	avgectam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Control = "avcntlx.exe"	avgectam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast MailWatch Client = "ashmailsrc.exe"	avgmsva.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Security System = "avgwsvcm.exe"	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	aswupsrc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgscnr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Controller = "avgectam.exe"	avgmgent.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgapgui.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ashsvam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgectam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir DB Management = "avgmgent.exe"	avgupsrvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Scanner = "avgscnr.exe"	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Controller = "avgectam.exe"	avgscnr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ashsdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir DB Management = "avgmgent.exe"	avgwsvcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	aswupsrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus GUI = "avgapgui.exe"	ashsdlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgapgui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Controller = "avgectam.exe"	avgwsvcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast AutoBackup Client = "avgmsva.exe"	avgectam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgapgui.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Display Service = "ashsdlp.exe"	avgapgui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Servicer = "avgupsrvc.exe"	avgmgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Auto-Updater = "aswupsrc.exe"	avgapgui.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgectam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Scanner = "avgscnr.exe"	avgwsvcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgscnr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir DB Management = "avgmgent.exe"	ashwbsm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ashsdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Auto-Updater = "aswupsrc.exe"	aswupsrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast MailWatch Client = "ashmailsrc.exe"	avgmsva.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgupsrvc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ashsvam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast MailWatch Client = "ashmailsrc.exe"	avgapgui.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avgectam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Scanner = "avgscnr.exe"	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Management Service = "avgemkdr.exe"	avgwsvcm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\avcntlx.exe	ashwbsm.exe
File created	C:\Windows\SysWOW64\avgwsvcm.exe	avgscnr.exe
File created	C:\Windows\SysWOW64\avgmsva.exe	avgwsvcm.exe
File opened for modification	C:\Windows\SysWOW64\ashsdlp.exe	ashsdlp.exe
File created	C:\Windows\SysWOW64\ashsdlp.exe	ashmailsrc.exe
File created	C:\Windows\SysWOW64\avgscnr.exe	avgwsvcm.exe
File created	C:\Windows\SysWOW64\avgwsvcm.exe	avirarkmd.exe
File created	C:\Windows\SysWOW64\ashsvam.exe	ashsdlp.exe
File created	C:\Windows\SysWOW64\avgapgui.exe	avcntlx.exe
File created	C:\Windows\SysWOW64\aswupsrc.exe	avgapgui.exe
File opened for modification	C:\Windows\SysWOW64\avgectam.exe	avgscnr.exe
File created	C:\Windows\SysWOW64\ashsvam.exe	ashsdlp.exe
File created	C:\Windows\SysWOW64\avgectam.exe	ashmailsrc.exe
File opened for modification	C:\Windows\SysWOW64\ashmailsrc.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\avgupsrvc.exe	avgmgent.exe
File opened for modification	C:\Windows\SysWOW64\avgmsva.exe	avgwsvcm.exe
File opened for modification	C:\Windows\SysWOW64\avgapgui.exe	ashsdlp.exe
File opened for modification	C:\Windows\SysWOW64\avgwsvcm.exe	ashmailsrc.exe
File opened for modification	C:\Windows\SysWOW64\avirarkmd.exe	ashmailsrc.exe
File opened for modification	C:\Windows\SysWOW64\avgupsrvc.exe	avgupsrvc.exe
File created	C:\Windows\SysWOW64\avgmgent.exe	aswupsrc.exe
File created	C:\Windows\SysWOW64\avgectam.exe	avgmgent.exe
File created	C:\Windows\SysWOW64\avcntlx.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\ashsvam.exe	ashsdlp.exe
File created	C:\Windows\SysWOW64\ashmailsrc.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\avgapgui.exe	avgscnr.exe
File opened for modification	C:\Windows\SysWOW64\avgscnr.exe	avgwsvcm.exe
File created	C:\Windows\SysWOW64\ashmailsrc.exe	avgscnr.exe
File opened for modification	C:\Windows\SysWOW64\avcntlx.exe	avgectam.exe
File created	C:\Windows\SysWOW64\avgscnr.exe	avgwsvcm.exe
File created	C:\Windows\SysWOW64\avgscnr.exe	avcntlx.exe
File created	C:\Windows\SysWOW64\avgscnr.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\avcntlx.exe	ashwbsm.exe
File created	C:\Windows\SysWOW64\avgapgui.exe	avgapgui.exe
File created	C:\Windows\SysWOW64\avgmgent.exe	avgwsvcm.exe
File created	C:\Windows\SysWOW64\avgectam.exe	avgwsvcm.exe
File created	C:\Windows\SysWOW64\avgupsrvc.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\avgscnr.exe	avcntlx.exe
File opened for modification	C:\Windows\SysWOW64\ashmailsrc.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\ashwbsm.exe	avgemkdr.exe
File created	C:\Windows\SysWOW64\aswupsrc.exe	ashsvam.exe
File opened for modification	C:\Windows\SysWOW64\avgapgui.exe	avgapgui.exe
File opened for modification	C:\Windows\SysWOW64\avgectam.exe	ashsvam.exe
File created	C:\Windows\SysWOW64\avgwsvcm.exe	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
File created	C:\Windows\SysWOW64\avgmgent.exe	ashwbsm.exe
File opened for modification	C:\Windows\SysWOW64\avgectam.exe	avgmgent.exe
File opened for modification	C:\Windows\SysWOW64\avgmsva.exe	avgectam.exe
File opened for modification	C:\Windows\SysWOW64\ashsdlp.exe	avgapgui.exe
File created	C:\Windows\SysWOW64\avgmsva.exe	ashsvam.exe
File opened for modification	C:\Windows\SysWOW64\avgscnr.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\ashwbsm.exe	avirarkmd.exe
File opened for modification	C:\Windows\SysWOW64\avgmsva.exe	avcntlx.exe
File created	C:\Windows\SysWOW64\ashsvam.exe	ashmailsrc.exe
File opened for modification	C:\Windows\SysWOW64\ashsvam.exe	ashmailsrc.exe
File opened for modification	C:\Windows\SysWOW64\avcntlx.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\ashmailsrc.exe	aswupsrc.exe
File opened for modification	C:\Windows\SysWOW64\avgectam.exe	ashmailsrc.exe
File created	C:\Windows\SysWOW64\avgupsrvc.exe	avgupsrvc.exe
File opened for modification	C:\Windows\SysWOW64\avgscnr.exe	avgupsrvc.exe
File opened for modification	C:\Windows\SysWOW64\avgapgui.exe	avgectam.exe
File created	C:\Windows\SysWOW64\avgmsva.exe	ashwbsm.exe
File created	C:\Windows\SysWOW64\avgmgent.exe	avgupsrvc.exe
File created	C:\Windows\SysWOW64\avgectam.exe	avgscnr.exe
File opened for modification	C:\Windows\SysWOW64\avgapgui.exe	avcntlx.exe

Suspicious use of SetThreadContext 59 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 1928	1900	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	27
PID 468 set thread context of 1812	468	avgwsvcm.exe	37
PID 1980 set thread context of 388	1980	avgscnr.exe	47
PID 1948 set thread context of 1372	1948	ashmailsrc.exe	57
PID 1416 set thread context of 1528	1416	avirarkmd.exe	67
PID 1172 set thread context of 1952	1172	ashwbsm.exe	77
PID 1684 set thread context of 1544	1684	avcntlx.exe	87
PID 1960 set thread context of 1124	1960	avgapgui.exe	97
PID 944 set thread context of 1048	944	avgapgui.exe	107
PID 1756 set thread context of 1988	1756	ashwbsm.exe	117
PID 2024 set thread context of 1688	2024	avgmgent.exe	127
PID 336 set thread context of 1188	336	avgupsrvc.exe	137
PID 1044 set thread context of 1684	1044	avgupsrvc.exe	147
PID 1132 set thread context of 1960	1132	avgscnr.exe	157
PID 1176 set thread context of 1724	1176	avgwsvcm.exe	167
PID 960 set thread context of 1564	960	avgmgent.exe	177
PID 1580 set thread context of 1456	1580	avgectam.exe	187
PID 900 set thread context of 2020	900	avgapgui.exe	197
PID 1980 set thread context of 1608	1980	aswupsrc.exe	207
PID 520 set thread context of 1148	520	avgmgent.exe	217
PID 1620 set thread context of 1188	1620	avirarkmd.exe	227
PID 1976 set thread context of 1112	1976	avgwsvcm.exe	237
PID 1820 set thread context of 2036	1820	avgectam.exe	247
PID 1968 set thread context of 892	1968	avgmsva.exe	257
PID 1056 set thread context of 1956	1056	avgupsrvc.exe	267
PID 268 set thread context of 2012	268	avgmgent.exe	277
PID 336 set thread context of 832	336	avgectam.exe	287
PID 580 set thread context of 2000	580	avgwsvcm.exe	297
PID 960 set thread context of 1312	960	avgmsva.exe	307
PID 1984 set thread context of 900	1984	avcntlx.exe	317
PID 1668 set thread context of 2024	1668	avgscnr.exe	327
PID 2004 set thread context of 324	2004	avgectam.exe	337
PID 1280 set thread context of 1988	1280	ashsdlp.exe	347
PID 1828 set thread context of 1740	1828	ashsdlp.exe	357
PID 1872 set thread context of 2008	1872	ashsvam.exe	367
PID 1156 set thread context of 1216	1156	aswupsrc.exe	377
PID 1580 set thread context of 1944	1580	aswupsrc.exe	387
PID 684 set thread context of 768	684	ashmailsrc.exe	397
PID 1564 set thread context of 992	1564	ashsdlp.exe	407
PID 568 set thread context of 964	568	avgapgui.exe	417
PID 888 set thread context of 1468	888	avgapgui.exe	427
PID 1904 set thread context of 1756	1904	ashmailsrc.exe	437
PID 1792 set thread context of 892	1792	avgectam.exe	447
PID 1456 set thread context of 1920	1456	avcntlx.exe	457
PID 1388 set thread context of 764	1388	avgmsva.exe	467
PID 2016 set thread context of 824	2016	ashmailsrc.exe	477
PID 1172 set thread context of 1056	1172	avgwsvcm.exe	487
PID 1524 set thread context of 1916	1524	avgscnr.exe	497
PID 2028 set thread context of 1688	2028	avgapgui.exe	507
PID 684 set thread context of 1480	684	ashsdlp.exe	517
PID 1620 set thread context of 1044	1620	ashsvam.exe	527
PID 1816 set thread context of 1988	1816	avgmsva.exe	537
PID 1132 set thread context of 576	1132	ashmailsrc.exe	547
PID 1040 set thread context of 1936	1040	ashsvam.exe	557
PID 1492 set thread context of 1184	1492	avgectam.exe	567
PID 992 set thread context of 1732	992	avgwsvcm.exe	577
PID 568 set thread context of 584	568	avgemkdr.exe	587
PID 1456 set thread context of 2036	1456	ashwbsm.exe	597
PID 1996 set thread context of 1916	1996	avgmsva.exe	607

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
Token: SeIncBasePriorityPrivilege	1812	avgwsvcm.exe
Token: SeIncBasePriorityPrivilege	388	avgscnr.exe
Token: SeIncBasePriorityPrivilege	1372	ashmailsrc.exe
Token: SeIncBasePriorityPrivilege	1528	avirarkmd.exe
Token: SeIncBasePriorityPrivilege	1952	ashwbsm.exe
Token: SeIncBasePriorityPrivilege	1544	avcntlx.exe
Token: SeIncBasePriorityPrivilege	1124	avgapgui.exe
Token: SeIncBasePriorityPrivilege	1048	avgapgui.exe
Token: SeIncBasePriorityPrivilege	1988	ashwbsm.exe
Token: SeIncBasePriorityPrivilege	1688	avgmgent.exe
Token: SeIncBasePriorityPrivilege	1188	avgupsrvc.exe
Token: SeIncBasePriorityPrivilege	1684	avgupsrvc.exe
Token: SeIncBasePriorityPrivilege	1960	avgscnr.exe
Token: SeIncBasePriorityPrivilege	1724	avgwsvcm.exe
Token: SeIncBasePriorityPrivilege	1564	avgmgent.exe
Token: SeIncBasePriorityPrivilege	1456	avgectam.exe
Token: SeIncBasePriorityPrivilege	2020	avgapgui.exe
Token: SeIncBasePriorityPrivilege	1608	aswupsrc.exe
Token: SeIncBasePriorityPrivilege	1148	avgmgent.exe
Token: SeIncBasePriorityPrivilege	1188	avirarkmd.exe
Token: SeIncBasePriorityPrivilege	1112	avgwsvcm.exe
Token: SeIncBasePriorityPrivilege	2036	avgectam.exe
Token: SeIncBasePriorityPrivilege	892	avgmsva.exe
Token: SeIncBasePriorityPrivilege	1956	avgupsrvc.exe
Token: SeIncBasePriorityPrivilege	2012	avgmgent.exe
Token: SeIncBasePriorityPrivilege	832	avgectam.exe
Token: SeIncBasePriorityPrivilege	2000	avgwsvcm.exe
Token: SeIncBasePriorityPrivilege	1312	avgmsva.exe
Token: SeIncBasePriorityPrivilege	900	avcntlx.exe
Token: SeIncBasePriorityPrivilege	2024	avgscnr.exe
Token: SeIncBasePriorityPrivilege	324	avgectam.exe
Token: SeIncBasePriorityPrivilege	1988	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	1740	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	2008	ashsvam.exe
Token: SeIncBasePriorityPrivilege	1216	aswupsrc.exe
Token: SeIncBasePriorityPrivilege	1944	aswupsrc.exe
Token: SeIncBasePriorityPrivilege	768	ashmailsrc.exe
Token: SeIncBasePriorityPrivilege	992	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	964	avgapgui.exe
Token: SeIncBasePriorityPrivilege	1468	avgapgui.exe
Token: SeIncBasePriorityPrivilege	1756	ashmailsrc.exe
Token: SeIncBasePriorityPrivilege	892	avgectam.exe
Token: SeIncBasePriorityPrivilege	1920	avcntlx.exe
Token: SeIncBasePriorityPrivilege	764	avgmsva.exe
Token: SeIncBasePriorityPrivilege	824	ashmailsrc.exe
Token: SeIncBasePriorityPrivilege	1056	avgwsvcm.exe
Token: SeIncBasePriorityPrivilege	1916	avgscnr.exe
Token: SeIncBasePriorityPrivilege	1688	avgapgui.exe
Token: SeIncBasePriorityPrivilege	1480	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	1044	ashsvam.exe
Token: SeIncBasePriorityPrivilege	1988	avgmsva.exe
Token: SeIncBasePriorityPrivilege	576	ashmailsrc.exe
Token: SeIncBasePriorityPrivilege	1936	ashsvam.exe
Token: SeIncBasePriorityPrivilege	1184	avgectam.exe
Token: SeIncBasePriorityPrivilege	1732	avgwsvcm.exe
Token: SeIncBasePriorityPrivilege	584	avgemkdr.exe
Token: SeIncBasePriorityPrivilege	2036	ashwbsm.exe
Token: SeIncBasePriorityPrivilege	1916	avgmsva.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1928	1900	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	27
PID 1900 wrote to memory of 1928	1900	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	27
PID 1900 wrote to memory of 1928	1900	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	27
PID 1900 wrote to memory of 1928	1900	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	27
PID 1900 wrote to memory of 1928	1900	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	27
PID 1900 wrote to memory of 1928	1900	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	27
PID 1900 wrote to memory of 1928	1900	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	27
PID 1900 wrote to memory of 1928	1900	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	27
PID 1900 wrote to memory of 1928	1900	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	27
PID 1928 wrote to memory of 468	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	28
PID 1928 wrote to memory of 468	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	28
PID 1928 wrote to memory of 468	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	28
PID 1928 wrote to memory of 468	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	28
PID 1928 wrote to memory of 892	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	29
PID 1928 wrote to memory of 892	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	29
PID 1928 wrote to memory of 892	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	29
PID 1928 wrote to memory of 892	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	29
PID 1928 wrote to memory of 268	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	34
PID 1928 wrote to memory of 268	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	34
PID 1928 wrote to memory of 268	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	34
PID 1928 wrote to memory of 268	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	34
PID 1928 wrote to memory of 2000	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	33
PID 1928 wrote to memory of 2000	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	33
PID 1928 wrote to memory of 2000	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	33
PID 1928 wrote to memory of 2000	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	33
PID 1928 wrote to memory of 1580	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	32
PID 1928 wrote to memory of 1580	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	32
PID 1928 wrote to memory of 1580	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	32
PID 1928 wrote to memory of 1580	1928	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	32
PID 468 wrote to memory of 1812	468	avgwsvcm.exe	37
PID 468 wrote to memory of 1812	468	avgwsvcm.exe	37
PID 468 wrote to memory of 1812	468	avgwsvcm.exe	37
PID 468 wrote to memory of 1812	468	avgwsvcm.exe	37
PID 468 wrote to memory of 1812	468	avgwsvcm.exe	37
PID 468 wrote to memory of 1812	468	avgwsvcm.exe	37
PID 468 wrote to memory of 1812	468	avgwsvcm.exe	37
PID 468 wrote to memory of 1812	468	avgwsvcm.exe	37
PID 468 wrote to memory of 1812	468	avgwsvcm.exe	37
PID 1812 wrote to memory of 1980	1812	avgwsvcm.exe	38
PID 1812 wrote to memory of 1980	1812	avgwsvcm.exe	38
PID 1812 wrote to memory of 1980	1812	avgwsvcm.exe	38
PID 1812 wrote to memory of 1980	1812	avgwsvcm.exe	38
PID 1812 wrote to memory of 1708	1812	avgwsvcm.exe	44
PID 1812 wrote to memory of 1708	1812	avgwsvcm.exe	44
PID 1812 wrote to memory of 1708	1812	avgwsvcm.exe	44
PID 1812 wrote to memory of 1708	1812	avgwsvcm.exe	44
PID 1812 wrote to memory of 1964	1812	avgwsvcm.exe	43
PID 1812 wrote to memory of 1964	1812	avgwsvcm.exe	43
PID 1812 wrote to memory of 1964	1812	avgwsvcm.exe	43
PID 1812 wrote to memory of 1964	1812	avgwsvcm.exe	43
PID 1812 wrote to memory of 1324	1812	avgwsvcm.exe	41
PID 1812 wrote to memory of 1324	1812	avgwsvcm.exe	41
PID 1812 wrote to memory of 1324	1812	avgwsvcm.exe	41
PID 1812 wrote to memory of 1324	1812	avgwsvcm.exe	41
PID 1812 wrote to memory of 1716	1812	avgwsvcm.exe	42
PID 1812 wrote to memory of 1716	1812	avgwsvcm.exe	42
PID 1812 wrote to memory of 1716	1812	avgwsvcm.exe	42
PID 1812 wrote to memory of 1716	1812	avgwsvcm.exe	42
PID 1980 wrote to memory of 388	1980	avgscnr.exe	47
PID 1980 wrote to memory of 388	1980	avgscnr.exe	47
PID 1980 wrote to memory of 388	1980	avgscnr.exe	47
PID 1980 wrote to memory of 388	1980	avgscnr.exe	47
PID 1980 wrote to memory of 388	1980	avgscnr.exe	47
PID 1980 wrote to memory of 388	1980	avgscnr.exe	47

C:\Users\Admin\AppData\Local\Temp\cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
"C:\Users\Admin\AppData\Local\Temp\cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
  "C:\Users\Admin\AppData\Local\Temp\cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\avgwsvcm.exe
    "C:\Windows\system32\avgwsvcm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\SysWOW64\avgwsvcm.exe
      "C:\Windows\SysWOW64\avgwsvcm.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\system32\ashmailsrc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1948
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\SysWOW64\ashmailsrc.exe"
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\system32\avirarkmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1416
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\SysWOW64\avirarkmd.exe"
        10⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1172
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        12⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1684
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        14⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1960
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        16⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:944
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        18⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1756
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        20⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\system32\avgmgent.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2024
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\SysWOW64\avgmgent.exe"
        22⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\system32\avgupsrvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:336
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\SysWOW64\avgupsrvc.exe"
        24⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\system32\avgupsrvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1044
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\SysWOW64\avgupsrvc.exe"
        26⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1132
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        28⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\system32\avgwsvcm.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1176
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\SysWOW64\avgwsvcm.exe"
        30⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\system32\avgmgent.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:960
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\SysWOW64\avgmgent.exe"
        32⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1580
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\SysWOW64\avgectam.exe"
        34⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:900
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        36⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\system32\aswupsrc.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1980
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\SysWOW64\aswupsrc.exe"
        38⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\system32\avgmgent.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:520
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\SysWOW64\avgmgent.exe"
        40⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\system32\avirarkmd.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1620
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\SysWOW64\avirarkmd.exe"
        42⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\system32\avgwsvcm.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1976
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\SysWOW64\avgwsvcm.exe"
        44⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1820
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\SysWOW64\avgectam.exe"
        46⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1968
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        48⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\system32\avgupsrvc.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1056
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\SysWOW64\avgupsrvc.exe"
        50⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\system32\avgmgent.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:268
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\SysWOW64\avgmgent.exe"
        52⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:336
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\SysWOW64\avgectam.exe"
        54⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\system32\avgwsvcm.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:580
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\SysWOW64\avgwsvcm.exe"
        56⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:960
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        58⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1984
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        60⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        61⤵
        
        PID:452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        61⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1668
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        62⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2004
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\SysWOW64\avgectam.exe"
        64⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1280
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        66⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:1828
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        68⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\system32\ashsvam.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:1872
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\SysWOW64\ashsvam.exe"
        70⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\system32\aswupsrc.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:1156
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\SysWOW64\aswupsrc.exe"
        72⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\system32\aswupsrc.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:1580
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\SysWOW64\aswupsrc.exe"
        74⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\system32\ashmailsrc.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:684
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\SysWOW64\ashmailsrc.exe"
        76⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:1564
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        78⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:568
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        80⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:888
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        82⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\system32\ashmailsrc.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:1904
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\SysWOW64\ashmailsrc.exe"
        84⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:1792
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\SysWOW64\avgectam.exe"
        86⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:1456
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        88⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:1388
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        90⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\system32\ashmailsrc.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2016
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\SysWOW64\ashmailsrc.exe"
        92⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ASHMAI~1.EXE > nul
        93⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        93⤵
        
        PID:632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        93⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        93⤵
        
        PID:304
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\system32\avgwsvcm.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:1172
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\SysWOW64\avgwsvcm.exe"
        94⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:1524
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        96⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:2028
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        98⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:684
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        100⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\system32\ashsvam.exe"
        101⤵
        Suspicious use of SetThreadContext
        
        PID:1620
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\SysWOW64\ashsvam.exe"
        102⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:1816
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        104⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\system32\ashmailsrc.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:1132
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\SysWOW64\ashmailsrc.exe"
        106⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\system32\ashsvam.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:1040
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\SysWOW64\ashsvam.exe"
        108⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:1492
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\SysWOW64\avgectam.exe"
        110⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\system32\avgwsvcm.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:992
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\SysWOW64\avgwsvcm.exe"
        112⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:568
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        114⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:1456
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        116⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:1996
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        118⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        119⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        119⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        119⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        119⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        119⤵
        
        PID:924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        117⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        117⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        117⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        117⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        115⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        115⤵
        
        PID:580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        115⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        115⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        113⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        113⤵
        
        PID:632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        113⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        113⤵
        
        PID:576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        111⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgectam.exe > nul
        111⤵
        
        PID:336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        111⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        111⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        109⤵
        
        PID:888
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        109⤵
        
        PID:836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        109⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsvam.exe > nul
        109⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        107⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ASHMAI~1.EXE > nul
        107⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        107⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        107⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        105⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        105⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        105⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        105⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        103⤵
        
        PID:980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        103⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsvam.exe > nul
        103⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        103⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        101⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        101⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        101⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        101⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        99⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        99⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        99⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        99⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        97⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        97⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        97⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        97⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        95⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        95⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        95⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        95⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        91⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        91⤵
        
        PID:924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        91⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        91⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        89⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        89⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        89⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        89⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        87⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgectam.exe > nul
        87⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        87⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        87⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        85⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        85⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ASHMAI~1.EXE > nul
        85⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        85⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        83⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        83⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        83⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        83⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        81⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        81⤵
        
        PID:360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        81⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        81⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        79⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        79⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        79⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        79⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        77⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ASHMAI~1.EXE > nul
        77⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        77⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        77⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        75⤵
        
        PID:644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        75⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        75⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\aswupsrc.exe > nul
        75⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        73⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        73⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        73⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\aswupsrc.exe > nul
        73⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        71⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        71⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsvam.exe > nul
        71⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        71⤵
        
        PID:972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        69⤵
        
        PID:948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        69⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        69⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        69⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        67⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        67⤵
        
        PID:992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgectam.exe > nul
        65⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        65⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        63⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        63⤵
        
        PID:580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        59⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        59⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        57⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        57⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        55⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgectam.exe > nul
        55⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmgent.exe > nul
        53⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        53⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        51⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVGUPS~1.EXE > nul
        51⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        
        PID:980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        49⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        49⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        47⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgectam.exe > nul
        47⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        45⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        45⤵
        
        PID:960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        43⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVIRAR~1.EXE > nul
        43⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:980
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmgent.exe > nul
        41⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        41⤵
        
        PID:468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        39⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\aswupsrc.exe > nul
        39⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        37⤵
        
        PID:552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        37⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgectam.exe > nul
        35⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        35⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        33⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmgent.exe > nul
        33⤵
        
        PID:580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        31⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        31⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        29⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        29⤵
        
        PID:984
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:632
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        27⤵
        
        PID:620
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVGUPS~1.EXE > nul
        27⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        25⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVGUPS~1.EXE > nul
        25⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmgent.exe > nul
        23⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        23⤵
        
        PID:576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        21⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        21⤵
        
        PID:924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        19⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        19⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        17⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        17⤵
        
        PID:836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        15⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        15⤵
        
        PID:972
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        13⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        13⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVIRAR~1.EXE > nul
        11⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        11⤵
        
        PID:960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ASHMAI~1.EXE > nul
        9⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        9⤵
        
        PID:576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        7⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        7⤵
        
        PID:900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        5⤵
        
        PID:1324
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        5⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:1708
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CC124E~1.EXE > nul
    3⤵
    - Deletes itself
    PID:1580
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.scr
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ashmailsrc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashmailsrc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashmailsrc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashwbsm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashwbsm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashwbsm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashwbsm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashwbsm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avcntlx.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avcntlx.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avcntlx.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgapgui.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgapgui.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgapgui.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgapgui.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgapgui.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgmgent.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgmgent.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgmgent.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgscnr.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgscnr.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgscnr.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgupsrvc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgupsrvc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgupsrvc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgupsrvc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgupsrvc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgwsvcm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgwsvcm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgwsvcm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avirarkmd.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avirarkmd.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avirarkmd.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\ashmailsrc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\ashmailsrc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\ashwbsm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\ashwbsm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\ashwbsm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\ashwbsm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avcntlx.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avcntlx.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgapgui.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgapgui.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgapgui.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgapgui.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgmgent.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgmgent.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgscnr.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgscnr.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgupsrvc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgupsrvc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgupsrvc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgupsrvc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgwsvcm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avgwsvcm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avirarkmd.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
\Windows\SysWOW64\avirarkmd.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
memory/268-546-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/268-532-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/336-545-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/336-559-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/336-329-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/336-348-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/468-77-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/468-101-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/520-448-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/520-462-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/580-560-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/580-573-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/900-433-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/900-420-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/944-280-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/944-255-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/960-574-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/960-390-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/960-405-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/960-587-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1044-347-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1044-362-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1056-531-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1056-518-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1124-253-0x0000000002C40000-0x0000000002C60000-memory.dmp

Filesize
128KB

Download
memory/1132-376-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1132-363-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1172-178-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1172-203-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1176-391-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1176-377-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1416-177-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1416-152-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1564-404-0x0000000002C30000-0x0000000002C50000-memory.dmp

Filesize
128KB

Download
memory/1580-406-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1580-419-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1620-461-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1620-475-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1668-602-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1684-229-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1684-204-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1756-305-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1756-281-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1820-503-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1820-490-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1900-68-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1900-54-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1928-56-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/1928-63-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/1928-60-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/1928-67-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/1928-58-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/1928-55-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/1928-66-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1948-151-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1948-127-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1952-195-0x0000000002D90000-0x0000000002DB0000-memory.dmp

Filesize
128KB

Download
memory/1960-230-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1960-256-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1968-504-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1968-517-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1976-489-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1976-476-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1980-434-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1980-447-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1980-126-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1980-102-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1984-601-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1984-588-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/2024-304-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/2024-328-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads