8576a75c652dc9e6cd91c64aeeb3de8eedff58dea0ca89da19f36176314abfe4

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 18:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe
Size

73KB
MD5

2d57d5b3e5f2c05975e55437b817fece
SHA1

5180e06065681f3f3636c0eb22631147aaf03968
SHA256

8576a75c652dc9e6cd91c64aeeb3de8eedff58dea0ca89da19f36176314abfe4
SHA512

0a9439f4a28c00590f67f47344668ec5f3210f4a28a4cb9d88ee77e9c79e6025701752674c529e6aff44d1c3e478d795c8ddf2ad89892b8b2f001f06fb2f8d69
SSDEEP

1536:VW+0rI7A0w8J5eTUqN+I04zUD/8Jj2B0wOCnLDpCLk:X0rPuAAQ+Ie8JzwOCDpv

Score

10^/10

defense_evasion evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgapgui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgscnr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avirarkmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgscnr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	aswupsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgemkdr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgupsrvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashwbsm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgapgui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgwsvcm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgupsrvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashmailsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashwbsm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashwbsm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgupsrvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsvam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgrdam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgscnr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgwsvcm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgemkdr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgemkdr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avirarkmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avirarkmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgapgui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgemkdr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgapgui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmsva.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashwbsm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashmailsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgwsvcm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsvam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avirarkmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmsva.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgupsrvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsvam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsvam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgemkdr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashwbsm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgemkdr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgscnr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgwsvcm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgectam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsvam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgemkdr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	aswupsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashwbsm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgmsva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avirarkmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	aswupsrc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashwbsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashwbsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashsvam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgrdam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgscnr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgectam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgapgui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashwbsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgmsva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgupsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashsvam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgmgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgectam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avirarkmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgmsva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgmgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgwsvcm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgrdam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgectam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgupsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashsdlp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgscnr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashsdlp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgemkdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgrdam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgemkdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgemkdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avcntlx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgemkdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgmsva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgmsva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashsdlp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avcntlx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashwbsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgmsva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashwbsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgwsvcm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avcntlx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgemkdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	aswupsrc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avcntlx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgscnr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgscnr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgapgui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgscnr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashsdlp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avirarkmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgscnr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashmailsrc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashwbsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avirarkmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgemkdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgwsvcm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashsdlp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashwbsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	aswupsrc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgupsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgscnr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	aswupsrc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	avgwsvcm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ashsdlp.exe

Executes dropped EXE 64 IoCs

pid	Process
2492	avgmsva.exe
4052	avgmsva.exe
1364	avgmsva.exe
1164	avgmsva.exe
4156	avgmsva.exe
4512	avgmsva.exe
4932	ashsvam.exe
4728	ashsvam.exe
3944	ashwbsm.exe
1940	ashwbsm.exe
2224	ashwbsm.exe
4492	ashwbsm.exe
2464	avirarkmd.exe
2092	avirarkmd.exe
2360	ashsdlp.exe
2692	ashsdlp.exe
3780	avgmsva.exe
3316	avgmsva.exe
2136	avgemkdr.exe
4532	avgemkdr.exe
2052	avcntlx.exe
560	avcntlx.exe
4252	avgmsva.exe
4352	avgmsva.exe
1348	avgectam.exe
4268	avgectam.exe
4220	ashwbsm.exe
3288	ashwbsm.exe
2136	avgemkdr.exe
912	avgemkdr.exe
3604	ashmailsrc.exe
2016	ashmailsrc.exe
2152	avgupsrvc.exe
4288	avgupsrvc.exe
3732	avgrdam.exe
2776	avgrdam.exe
5108	avirarkmd.exe
920	avirarkmd.exe
4944	avgmsva.exe
2092	avgmsva.exe
3604	avgemkdr.exe
4524	avgemkdr.exe
4652	ashsdlp.exe
5004	ashsdlp.exe
4076	avgscnr.exe
1204	avgscnr.exe
1616	avgapgui.exe
3644	avgapgui.exe
1260	ashwbsm.exe
4552	ashwbsm.exe
640	avgrdam.exe
3136	avgrdam.exe
1536	aswupsrc.exe
4412	aswupsrc.exe
1344	avcntlx.exe
2648	avcntlx.exe
3596	avgmgent.exe
4464	avgmgent.exe
3252	ashwbsm.exe
316	ashwbsm.exe
2964	ashmailsrc.exe
4360	ashmailsrc.exe
1380	avgwsvcm.exe
2272	avgwsvcm.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Servicer = "ashsvam.exe"	avgupsrvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast AutoBackup Client = "avgmsva.exe"	ashsdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir DB Management = "avgmgent.exe"	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Management Service = "avgemkdr.exe"	avgwsvcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Controller = "avgectam.exe"	ashwbsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast MailWatch Client = "ashmailsrc.exe"	avgrdam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast WebWatch Client = "ashwbsm.exe"	ashwbsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast AutoBackup Client = "avgmsva.exe"	ashsdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus GUI = "avgapgui.exe"	avgscnr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Rootkit Remover = "avirarkmd.exe"	avgemkdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Active-Guard = "avgrdam.exe"	ashwbsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast WebWatch Client = "ashwbsm.exe"	avgapgui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Auto-Updater = "aswupsrc.exe"	ashsvam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast WebWatch Client = "ashwbsm.exe"	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Security System = "avgwsvcm.exe"	avirarkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Rootkit Remover = "avirarkmd.exe"	aswupsrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir DB Management = "avgmgent.exe"	ashsdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Control = "avcntlx.exe"	ashsdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Servicer = "ashsvam.exe"	avgectam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Scanner = "avgscnr.exe"	ashsdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast AutoBackup Client = "avgmsva.exe"	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast AutoBackup Client = "avgmsva.exe"	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Display Service = "ashsdlp.exe"	avgemkdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast WebWatch Client = "ashwbsm.exe"	avgmgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast AutoBackup Client = "avgmsva.exe"	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast WebWatch Client = "ashwbsm.exe"	ashsvam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Servicer = "avgupsrvc.exe"	avgmgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Scanner = "avgscnr.exe"	avgmgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Rootkit Remover = "avirarkmd.exe"	ashwbsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Management Service = "avgemkdr.exe"	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast WebWatch Client = "ashwbsm.exe"	avgapgui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast WebWatch Client = "ashwbsm.exe"	avirarkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Servicer = "ashsvam.exe"	avgrdam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Display Service = "ashsdlp.exe"	avirarkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Display Service = "ashsdlp.exe"	avgwsvcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Scanner = "avgscnr.exe"	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Control = "avcntlx.exe"	avgscnr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast AutoBackup Client = "avgmsva.exe"	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Display Service = "ashsdlp.exe"	avgectam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Servicer = "avgupsrvc.exe"	avgmgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Servicer = "avgupsrvc.exe"	ashsdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Management Service = "avgemkdr.exe"	ashwbsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Management Service = "avgemkdr.exe"	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus GUI = "avgapgui.exe"	avgmgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Rootkit Remover = "avirarkmd.exe"	avgemkdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Auto-Updater = "aswupsrc.exe"	ashsdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Scanner = "avgscnr.exe"	ashsvam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Control = "avcntlx.exe"	avgscnr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Servicer = "ashsvam.exe"	avgwsvcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Management Service = "avgemkdr.exe"	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Scanner = "avgscnr.exe"	ashsdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Management Service = "avgemkdr.exe"	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir DB Management = "avgmgent.exe"	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir DB Management = "avgmgent.exe"	avgapgui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus GUI = "avgapgui.exe"	avirarkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir DB Management = "avgmgent.exe"	avgemkdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast AutoBackup Client = "avgmsva.exe"	avgemkdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Rootkit Remover = "avirarkmd.exe"	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Management Service = "avgemkdr.exe"	ashsvam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Rootkit Remover = "avirarkmd.exe"	avgrdam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Auto-Updater = "aswupsrc.exe"	avgrdam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Management Service = "avgemkdr.exe"	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Control = "avcntlx.exe"	avirarkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast MailWatch Client = "ashmailsrc.exe"	ashwbsm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ashsdlp.exe	ashsdlp.exe
File opened for modification	C:\Windows\SysWOW64\ashmailsrc.exe	avgrdam.exe
File created	C:\Windows\SysWOW64\avgmsva.exe	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\avgscnr.exe	avgupsrvc.exe
File created	C:\Windows\SysWOW64\avgapgui.exe	avgscnr.exe
File opened for modification	C:\Windows\SysWOW64\avgapgui.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\avgwsvcm.exe	ashwbsm.exe
File created	C:\Windows\SysWOW64\avcntlx.exe	ashsvam.exe
File opened for modification	C:\Windows\SysWOW64\avirarkmd.exe	avcntlx.exe
File opened for modification	C:\Windows\SysWOW64\aswupsrc.exe	ashsvam.exe
File created	C:\Windows\SysWOW64\avgrdam.exe	ashwbsm.exe
File opened for modification	C:\Windows\SysWOW64\ashwbsm.exe	avgmgent.exe
File created	C:\Windows\SysWOW64\ashsvam.exe	avgupsrvc.exe
File created	C:\Windows\SysWOW64\avgapgui.exe	avgscnr.exe
File created	C:\Windows\SysWOW64\avgscnr.exe	ashwbsm.exe
File opened for modification	C:\Windows\SysWOW64\avgemkdr.exe	aswupsrc.exe
File opened for modification	C:\Windows\SysWOW64\avgscnr.exe	avgupsrvc.exe
File created	C:\Windows\SysWOW64\avgscnr.exe	ashsdlp.exe
File opened for modification	C:\Windows\SysWOW64\aswupsrc.exe	avgupsrvc.exe
File created	C:\Windows\SysWOW64\avgapgui.exe	avgmsva.exe
File created	C:\Windows\SysWOW64\avcntlx.exe	avgwsvcm.exe
File opened for modification	C:\Windows\SysWOW64\ashsvam.exe	avgwsvcm.exe
File opened for modification	C:\Windows\SysWOW64\avgemkdr.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\avgectam.exe	ashsdlp.exe
File created	C:\Windows\SysWOW64\avgmsva.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\avgwsvcm.exe	avgscnr.exe
File created	C:\Windows\SysWOW64\ashwbsm.exe	avgmgent.exe
File opened for modification	C:\Windows\SysWOW64\avcntlx.exe	avgscnr.exe
File opened for modification	C:\Windows\SysWOW64\avgscnr.exe	ashsdlp.exe
File opened for modification	C:\Windows\SysWOW64\ashsdlp.exe	avgapgui.exe
File created	C:\Windows\SysWOW64\avgectam.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\avgectam.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\avgmgent.exe	avgmsva.exe
File created	C:\Windows\SysWOW64\avgscnr.exe	avgmgent.exe
File created	C:\Windows\SysWOW64\avgapgui.exe	avirarkmd.exe
File created	C:\Windows\SysWOW64\avgmgent.exe	avcntlx.exe
File created	C:\Windows\SysWOW64\avgmsva.exe	avcntlx.exe
File opened for modification	C:\Windows\SysWOW64\aswupsrc.exe	avgrdam.exe
File created	C:\Windows\SysWOW64\avgupsrvc.exe	ashsdlp.exe
File opened for modification	C:\Windows\SysWOW64\avgmsva.exe	ashsdlp.exe
File created	C:\Windows\SysWOW64\ashsvam.exe	avgwsvcm.exe
File created	C:\Windows\SysWOW64\avgrdam.exe	avgemkdr.exe
File opened for modification	C:\Windows\SysWOW64\ashwbsm.exe	ashwbsm.exe
File created	C:\Windows\SysWOW64\avgectam.exe	avgemkdr.exe
File opened for modification	C:\Windows\SysWOW64\aswupsrc.exe	avgemkdr.exe
File opened for modification	C:\Windows\SysWOW64\avgwsvcm.exe	avirarkmd.exe
File opened for modification	C:\Windows\SysWOW64\avirarkmd.exe	avgrdam.exe
File created	C:\Windows\SysWOW64\aswupsrc.exe	avgemkdr.exe
File created	C:\Windows\SysWOW64\avcntlx.exe	aswupsrc.exe
File created	C:\Windows\SysWOW64\avgscnr.exe	ashsvam.exe
File opened for modification	C:\Windows\SysWOW64\avcntlx.exe	ashsdlp.exe
File opened for modification	C:\Windows\SysWOW64\avgrdam.exe	avgemkdr.exe
File created	C:\Windows\SysWOW64\ashsvam.exe	avgrdam.exe
File opened for modification	C:\Windows\SysWOW64\ashsvam.exe	avgupsrvc.exe
File opened for modification	C:\Windows\SysWOW64\ashsdlp.exe	avgwsvcm.exe
File created	C:\Windows\SysWOW64\avcntlx.exe	ashsdlp.exe
File created	C:\Windows\SysWOW64\ashwbsm.exe	ashwbsm.exe
File created	C:\Windows\SysWOW64\avgemkdr.exe	avgapgui.exe
File created	C:\Windows\SysWOW64\aswupsrc.exe	ashsvam.exe
File opened for modification	C:\Windows\SysWOW64\avirarkmd.exe	avgectam.exe
File created	C:\Windows\SysWOW64\avgemkdr.exe	avgwsvcm.exe
File opened for modification	C:\Windows\SysWOW64\ashsdlp.exe	avgectam.exe
File opened for modification	C:\Windows\SysWOW64\avgupsrvc.exe	ashmailsrc.exe
File created	C:\Windows\SysWOW64\avgscnr.exe	avgupsrvc.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 1300	2376	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	85
PID 2492 set thread context of 4052	2492	avgmsva.exe	95
PID 1364 set thread context of 1164	1364	avgmsva.exe	105
PID 4156 set thread context of 4512	4156	avgmsva.exe	115
PID 4932 set thread context of 4728	4932	ashsvam.exe	125
PID 3944 set thread context of 1940	3944	ashwbsm.exe	135
PID 2224 set thread context of 4492	2224	ashwbsm.exe	145
PID 2464 set thread context of 2092	2464	avirarkmd.exe	155
PID 2360 set thread context of 2692	2360	ashsdlp.exe	165
PID 3780 set thread context of 3316	3780	avgmsva.exe	175
PID 2136 set thread context of 4532	2136	avgemkdr.exe	185
PID 2052 set thread context of 560	2052	avcntlx.exe	195
PID 4252 set thread context of 4352	4252	avgmsva.exe	205
PID 1348 set thread context of 4268	1348	avgectam.exe	215
PID 4220 set thread context of 3288	4220	ashwbsm.exe	225
PID 2136 set thread context of 912	2136	avgemkdr.exe	235
PID 3604 set thread context of 2016	3604	ashmailsrc.exe	245
PID 2152 set thread context of 4288	2152	avgupsrvc.exe	255
PID 3732 set thread context of 2776	3732	avgrdam.exe	265
PID 5108 set thread context of 920	5108	avirarkmd.exe	275
PID 4944 set thread context of 2092	4944	avgmsva.exe	285
PID 3604 set thread context of 4524	3604	avgemkdr.exe	295
PID 4652 set thread context of 5004	4652	ashsdlp.exe	305
PID 4076 set thread context of 1204	4076	avgscnr.exe	315
PID 1616 set thread context of 3644	1616	avgapgui.exe	326
PID 1260 set thread context of 4552	1260	ashwbsm.exe	337
PID 640 set thread context of 3136	640	avgrdam.exe	347
PID 1344 set thread context of 2648	1344	avcntlx.exe	367
PID 3596 set thread context of 4464	3596	avgmgent.exe	377
PID 3252 set thread context of 316	3252	ashwbsm.exe	387
PID 2964 set thread context of 4360	2964	ashmailsrc.exe	397
PID 1380 set thread context of 2272	1380	avgwsvcm.exe	407
PID 3692 set thread context of 4252	3692	ashsdlp.exe	417
PID 5104 set thread context of 2332	5104	avgmgent.exe	428
PID 3992 set thread context of 2208	3992	avgapgui.exe	438
PID 3756 set thread context of 2820	3756	avgmgent.exe	448
PID 3248 set thread context of 5108	3248	avgupsrvc.exe	458
PID 3900 set thread context of 872	3900	avgscnr.exe	468
PID 4416 set thread context of 1592	4416	ashsdlp.exe	478
PID 1868 set thread context of 324	1868	avcntlx.exe	488
PID 1932 set thread context of 3208	1932	avgscnr.exe	498
PID 2380 set thread context of 2936	2380	avgapgui.exe	508
PID 1064 set thread context of 1872	1064	ashwbsm.exe	518
PID 384 set thread context of 1228	384	avgemkdr.exe	528
PID 1704 set thread context of 5008	1704	avirarkmd.exe	538
PID 460 set thread context of 4284	460	avgapgui.exe	548
PID 4664 set thread context of 1116	4664	avgemkdr.exe	558
PID 884 set thread context of 1860	884	avgectam.exe	568
PID 2448 set thread context of 5108	2448	ashsvam.exe	578
PID 2052 set thread context of 3968	2052	ashsdlp.exe	588
PID 408 set thread context of 1772	408	aswupsrc.exe	598
PID 2152 set thread context of 4704	2152	ashsdlp.exe	608
PID 3236 set thread context of 1116	3236	avgscnr.exe	618
PID 3212 set thread context of 4852	3212	avgemkdr.exe	628
PID 700 set thread context of 3368	700	ashsdlp.exe	638
PID 5108 set thread context of 2520	5108	avgectam.exe	648
PID 4484 set thread context of 3980	4484	ashsdlp.exe	658
PID 2744 set thread context of 1104	2744	avgmsva.exe	668
PID 832 set thread context of 4588	832	avgapgui.exe	678
PID 1984 set thread context of 4940	1984	avgemkdr.exe	688
PID 4564 set thread context of 4396	4564	avgwsvcm.exe	698
PID 1596 set thread context of 1384	1596	avcntlx.exe	708
PID 3640 set thread context of 3712	3640	ashwbsm.exe	718
PID 460 set thread context of 2860	460	avgwsvcm.exe	728

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgscnr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avcntlx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashwbsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgapgui.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgapgui.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgscnr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avirarkmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avcntlx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashwbsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgemkdr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgscnr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgectam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgwsvcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsdlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsdlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsdlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsvam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsdlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgupsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsdlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgscnr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgapgui.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashwbsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgemkdr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgrdam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	aswupsrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgmsva.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgemkdr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgemkdr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avcntlx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashmailsrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgscnr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgemkdr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsdlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgwsvcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgemkdr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgmgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgscnr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgmsva.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgupsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgmsva.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgscnr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgemkdr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avirarkmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsdlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsvam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgscnr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsdlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	aswupsrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgmsva.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsdlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashwbsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgmgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashwbsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgmsva.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgrdam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgwsvcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgapgui.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgapgui.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgemkdr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsvam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashwbsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsdlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avirarkmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4052	avgmsva.exe
Token: SeIncBasePriorityPrivilege	1164	avgmsva.exe
Token: SeIncBasePriorityPrivilege	4512	avgmsva.exe
Token: SeIncBasePriorityPrivilege	4728	ashsvam.exe
Token: SeIncBasePriorityPrivilege	1940	ashwbsm.exe
Token: SeIncBasePriorityPrivilege	4492	ashwbsm.exe
Token: SeIncBasePriorityPrivilege	2092	avirarkmd.exe
Token: SeIncBasePriorityPrivilege	2692	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	3316	avgmsva.exe
Token: SeIncBasePriorityPrivilege	4532	avgemkdr.exe
Token: SeIncBasePriorityPrivilege	560	avcntlx.exe
Token: SeIncBasePriorityPrivilege	4352	avgmsva.exe
Token: SeIncBasePriorityPrivilege	4268	avgectam.exe
Token: SeIncBasePriorityPrivilege	3288	ashwbsm.exe
Token: SeIncBasePriorityPrivilege	912	avgemkdr.exe
Token: SeIncBasePriorityPrivilege	2016	ashmailsrc.exe
Token: SeIncBasePriorityPrivilege	4288	avgupsrvc.exe
Token: SeIncBasePriorityPrivilege	2776	avgrdam.exe
Token: SeIncBasePriorityPrivilege	920	avirarkmd.exe
Token: SeIncBasePriorityPrivilege	2092	avgmsva.exe
Token: SeIncBasePriorityPrivilege	4524	avgemkdr.exe
Token: SeIncBasePriorityPrivilege	5004	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	1204	avgscnr.exe
Token: SeIncBasePriorityPrivilege	3644	avgapgui.exe
Token: SeIncBasePriorityPrivilege	4552	ashwbsm.exe
Token: SeIncBasePriorityPrivilege	3136	avgrdam.exe
Token: SeIncBasePriorityPrivilege	4412	aswupsrc.exe
Token: SeIncBasePriorityPrivilege	2648	avcntlx.exe
Token: SeIncBasePriorityPrivilege	4464	avgmgent.exe
Token: SeIncBasePriorityPrivilege	316	ashwbsm.exe
Token: SeIncBasePriorityPrivilege	4360	ashmailsrc.exe
Token: SeIncBasePriorityPrivilege	2272	avgwsvcm.exe
Token: SeIncBasePriorityPrivilege	4252	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	2332	avgmgent.exe
Token: SeIncBasePriorityPrivilege	2208	avgapgui.exe
Token: SeIncBasePriorityPrivilege	2820	avgmgent.exe
Token: SeIncBasePriorityPrivilege	5108	avgupsrvc.exe
Token: SeIncBasePriorityPrivilege	872	avgscnr.exe
Token: SeIncBasePriorityPrivilege	1592	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	324	avcntlx.exe
Token: SeIncBasePriorityPrivilege	3208	avgscnr.exe
Token: SeIncBasePriorityPrivilege	2936	avgapgui.exe
Token: SeIncBasePriorityPrivilege	1872	ashwbsm.exe
Token: SeIncBasePriorityPrivilege	1228	avgemkdr.exe
Token: SeIncBasePriorityPrivilege	5008	avirarkmd.exe
Token: SeIncBasePriorityPrivilege	4284	avgapgui.exe
Token: SeIncBasePriorityPrivilege	1116	avgemkdr.exe
Token: SeIncBasePriorityPrivilege	1860	avgectam.exe
Token: SeIncBasePriorityPrivilege	5108	ashsvam.exe
Token: SeIncBasePriorityPrivilege	3968	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	1772	aswupsrc.exe
Token: SeIncBasePriorityPrivilege	4704	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	1116	avgscnr.exe
Token: SeIncBasePriorityPrivilege	4852	avgemkdr.exe
Token: SeIncBasePriorityPrivilege	3368	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	2520	avgectam.exe
Token: SeIncBasePriorityPrivilege	3980	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	1104	avgmsva.exe
Token: SeIncBasePriorityPrivilege	4588	avgapgui.exe
Token: SeIncBasePriorityPrivilege	4940	avgemkdr.exe
Token: SeIncBasePriorityPrivilege	4396	avgwsvcm.exe
Token: SeIncBasePriorityPrivilege	1384	avcntlx.exe
Token: SeIncBasePriorityPrivilege	3712	ashwbsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1300	2376	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	85
PID 2376 wrote to memory of 1300	2376	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	85
PID 2376 wrote to memory of 1300	2376	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	85
PID 2376 wrote to memory of 1300	2376	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	85
PID 2376 wrote to memory of 1300	2376	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	85
PID 2376 wrote to memory of 1300	2376	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	85
PID 2376 wrote to memory of 1300	2376	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	85
PID 2376 wrote to memory of 1300	2376	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	85
PID 1300 wrote to memory of 2492	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	86
PID 1300 wrote to memory of 2492	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	86
PID 1300 wrote to memory of 2492	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	86
PID 1300 wrote to memory of 2696	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	87
PID 1300 wrote to memory of 2696	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	87
PID 1300 wrote to memory of 2696	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	87
PID 1300 wrote to memory of 3944	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	88
PID 1300 wrote to memory of 3944	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	88
PID 1300 wrote to memory of 3944	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	88
PID 1300 wrote to memory of 1484	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	89
PID 1300 wrote to memory of 1484	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	89
PID 1300 wrote to memory of 1484	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	89
PID 1300 wrote to memory of 4856	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	91
PID 1300 wrote to memory of 4856	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	91
PID 1300 wrote to memory of 4856	1300	2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe	91
PID 2492 wrote to memory of 4052	2492	avgmsva.exe	95
PID 2492 wrote to memory of 4052	2492	avgmsva.exe	95
PID 2492 wrote to memory of 4052	2492	avgmsva.exe	95
PID 2492 wrote to memory of 4052	2492	avgmsva.exe	95
PID 2492 wrote to memory of 4052	2492	avgmsva.exe	95
PID 2492 wrote to memory of 4052	2492	avgmsva.exe	95
PID 2492 wrote to memory of 4052	2492	avgmsva.exe	95
PID 2492 wrote to memory of 4052	2492	avgmsva.exe	95
PID 4052 wrote to memory of 1364	4052	avgmsva.exe	96
PID 4052 wrote to memory of 1364	4052	avgmsva.exe	96
PID 4052 wrote to memory of 1364	4052	avgmsva.exe	96
PID 4052 wrote to memory of 4756	4052	avgmsva.exe	97
PID 4052 wrote to memory of 4756	4052	avgmsva.exe	97
PID 4052 wrote to memory of 4756	4052	avgmsva.exe	97
PID 4052 wrote to memory of 1932	4052	avgmsva.exe	98
PID 4052 wrote to memory of 1932	4052	avgmsva.exe	98
PID 4052 wrote to memory of 1932	4052	avgmsva.exe	98
PID 4052 wrote to memory of 5104	4052	avgmsva.exe	99
PID 4052 wrote to memory of 5104	4052	avgmsva.exe	99
PID 4052 wrote to memory of 5104	4052	avgmsva.exe	99
PID 4052 wrote to memory of 4664	4052	avgmsva.exe	100
PID 4052 wrote to memory of 4664	4052	avgmsva.exe	100
PID 4052 wrote to memory of 4664	4052	avgmsva.exe	100
PID 1364 wrote to memory of 1164	1364	avgmsva.exe	105
PID 1364 wrote to memory of 1164	1364	avgmsva.exe	105
PID 1364 wrote to memory of 1164	1364	avgmsva.exe	105
PID 1364 wrote to memory of 1164	1364	avgmsva.exe	105
PID 1364 wrote to memory of 1164	1364	avgmsva.exe	105
PID 1364 wrote to memory of 1164	1364	avgmsva.exe	105
PID 1364 wrote to memory of 1164	1364	avgmsva.exe	105
PID 1364 wrote to memory of 1164	1364	avgmsva.exe	105
PID 1164 wrote to memory of 4156	1164	avgmsva.exe	106
PID 1164 wrote to memory of 4156	1164	avgmsva.exe	106
PID 1164 wrote to memory of 4156	1164	avgmsva.exe	106
PID 1164 wrote to memory of 4176	1164	avgmsva.exe	107
PID 1164 wrote to memory of 4176	1164	avgmsva.exe	107
PID 1164 wrote to memory of 4176	1164	avgmsva.exe	107
PID 1164 wrote to memory of 2380	1164	avgmsva.exe	108
PID 1164 wrote to memory of 2380	1164	avgmsva.exe	108
PID 1164 wrote to memory of 2380	1164	avgmsva.exe	108
PID 1164 wrote to memory of 1552	1164	avgmsva.exe	109

C:\Users\Admin\AppData\Local\Temp\2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2d57d5b3e5f2c05975e55437b817fece_JaffaCakes118.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\avgmsva.exe
    "C:\Windows\system32\avgmsva.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\avgmsva.exe
      "C:\Windows\SysWOW64\avgmsva.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4156
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\system32\ashsvam.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4932
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\SysWOW64\ashsvam.exe"
        10⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3944
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        12⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2224
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        14⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\system32\avirarkmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2464
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\SysWOW64\avirarkmd.exe"
        16⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2360
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        18⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3780
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2136
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        22⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2052
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        24⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4252
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1348
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\SysWOW64\avgectam.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4220
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        30⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2136
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        32⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\system32\ashmailsrc.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3604
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\SysWOW64\ashmailsrc.exe"
        34⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\system32\avgupsrvc.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2152
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\SysWOW64\avgupsrvc.exe"
        36⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
        
        C:\Windows\SysWOW64\avgrdam.exe
        
        "C:\Windows\system32\avgrdam.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3732
        
        C:\Windows\SysWOW64\avgrdam.exe
        
        "C:\Windows\SysWOW64\avgrdam.exe"
        38⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\system32\avirarkmd.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5108
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\SysWOW64\avirarkmd.exe"
        40⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4944
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        42⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3604
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        44⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4652
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        46⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4076
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1616
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1260
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Windows\SysWOW64\avgrdam.exe
        
        "C:\Windows\system32\avgrdam.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:640
        
        C:\Windows\SysWOW64\avgrdam.exe
        
        "C:\Windows\SysWOW64\avgrdam.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\system32\aswupsrc.exe"
        55⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\SysWOW64\aswupsrc.exe"
        56⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1344
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        58⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\system32\avgmgent.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3596
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\SysWOW64\avgmgent.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3252
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        62⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\system32\ashmailsrc.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2964
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\SysWOW64\ashmailsrc.exe"
        64⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\system32\avgwsvcm.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1380
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\SysWOW64\avgwsvcm.exe"
        66⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:3692
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        68⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\system32\avgmgent.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:5104
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\SysWOW64\avgmgent.exe"
        70⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:3992
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        72⤵
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\system32\avgmgent.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:3756
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\SysWOW64\avgmgent.exe"
        74⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\system32\avgupsrvc.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:3248
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\SysWOW64\avgupsrvc.exe"
        76⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:3900
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        78⤵
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:4416
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        80⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:1868
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        82⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:1932
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        84⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:2380
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        86⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:1064
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        88⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:384
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        90⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\system32\avirarkmd.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:1704
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\SysWOW64\avirarkmd.exe"
        92⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:460
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        94⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:4664
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        96⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:884
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\SysWOW64\avgectam.exe"
        98⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\system32\ashsvam.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:2448
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\SysWOW64\ashsvam.exe"
        100⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        101⤵
        Suspicious use of SetThreadContext
        
        PID:2052
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        102⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\system32\aswupsrc.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:408
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\SysWOW64\aswupsrc.exe"
        104⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:2152
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        106⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:3236
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        108⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:3212
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        110⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:700
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        112⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:5108
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\SysWOW64\avgectam.exe"
        114⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:4484
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        116⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:2744
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        118⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:832
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        120⤵
        Modifies visiblity of hidden/system files in Explorer
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:1984
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        122⤵
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\system32\avgwsvcm.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:4564
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\SysWOW64\avgwsvcm.exe"
        124⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        125⤵
        Suspicious use of SetThreadContext
        
        PID:1596
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        126⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:3640
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        128⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\system32\avgwsvcm.exe"
        129⤵
        Suspicious use of SetThreadContext
        
        PID:460
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\SysWOW64\avgwsvcm.exe"
        130⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\system32\ashsvam.exe"
        131⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\SysWOW64\ashsvam.exe"
        132⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        133⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        134⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        135⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        136⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        
        PID:1500
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\system32\avgupsrvc.exe"
        137⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\SysWOW64\avgupsrvc.exe"
        138⤵
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        139⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        140⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        141⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        143⤵
        
        PID:392
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        144⤵
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\system32\avgwsvcm.exe"
        145⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\SysWOW64\avgwsvcm.exe"
        146⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\system32\ashsvam.exe"
        147⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\SysWOW64\ashsvam.exe"
        148⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        149⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        150⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        151⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        152⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\system32\aswupsrc.exe"
        153⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\SysWOW64\aswupsrc.exe"
        154⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\system32\avgmgent.exe"
        155⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\SysWOW64\avgmgent.exe"
        156⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        
        PID:888
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\system32\avgupsrvc.exe"
        157⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\SysWOW64\avgupsrvc.exe"
        158⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\system32\aswupsrc.exe"
        159⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\SysWOW64\aswupsrc.exe"
        160⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        161⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        162⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\system32\avgwsvcm.exe"
        163⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\SysWOW64\avgwsvcm.exe"
        164⤵
        Modifies visiblity of hidden/system files in Explorer
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        165⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        166⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        167⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\SysWOW64\avgectam.exe"
        168⤵
        Modifies visiblity of hidden/system files in Explorer
        
        PID:2444
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        169⤵
        
        PID:908
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        170⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        171⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        172⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\system32\avirarkmd.exe"
        173⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\SysWOW64\avirarkmd.exe"
        174⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4060
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        175⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        176⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        177⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        178⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:732
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        179⤵
        
        PID:748
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        180⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        181⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        182⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\system32\avgmgent.exe"
        183⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\SysWOW64\avgmgent.exe"
        184⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        185⤵
        
        PID:656
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        186⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        187⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        188⤵
        Modifies visiblity of hidden/system files in Explorer
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        189⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        190⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\system32\avirarkmd.exe"
        191⤵
        
        PID:324
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\SysWOW64\avirarkmd.exe"
        192⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\system32\avgwsvcm.exe"
        193⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\SysWOW64\avgwsvcm.exe"
        194⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        195⤵
        
        PID:696
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        196⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\avgrdam.exe
        
        "C:\Windows\system32\avgrdam.exe"
        197⤵
        
        PID:908
        
        C:\Windows\SysWOW64\avgrdam.exe
        
        "C:\Windows\SysWOW64\avgrdam.exe"
        198⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\system32\ashsvam.exe"
        199⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\SysWOW64\ashsvam.exe"
        200⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\system32\aswupsrc.exe"
        201⤵
        
        PID:376
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\SysWOW64\aswupsrc.exe"
        202⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2224
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\system32\avirarkmd.exe"
        203⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\SysWOW64\avirarkmd.exe"
        204⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3376
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        205⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        206⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        207⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\SysWOW64\avgectam.exe"
        208⤵
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        209⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        210⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\system32\avgscnr.exe"
        211⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\avgscnr.exe
        
        "C:\Windows\SysWOW64\avgscnr.exe"
        212⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        213⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        214⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        215⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        216⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        217⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        218⤵
        Checks computer location settings
        
        PID:2004
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        219⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\SysWOW64\avgectam.exe"
        220⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\system32\avirarkmd.exe"
        221⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\avirarkmd.exe
        
        "C:\Windows\SysWOW64\avirarkmd.exe"
        222⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        223⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        224⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        225⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        226⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\system32\avgupsrvc.exe"
        227⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\SysWOW64\avgupsrvc.exe"
        228⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\system32\ashsvam.exe"
        229⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\SysWOW64\ashsvam.exe"
        230⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\avgrdam.exe
        
        "C:\Windows\system32\avgrdam.exe"
        231⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\avgrdam.exe
        
        "C:\Windows\SysWOW64\avgrdam.exe"
        232⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\system32\ashmailsrc.exe"
        233⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\ashmailsrc.exe
        
        "C:\Windows\SysWOW64\ashmailsrc.exe"
        234⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        
        PID:4944
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\system32\ashsvam.exe"
        235⤵
        
        PID:908
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\SysWOW64\ashsvam.exe"
        236⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        237⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        238⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        
        PID:3140
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\system32\avgmgent.exe"
        239⤵
        
        PID:764
        
        C:\Windows\SysWOW64\avgmgent.exe
        
        "C:\Windows\SysWOW64\avgmgent.exe"
        240⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        239⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        239⤵
        
        PID:216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        239⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        239⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        237⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        237⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        237⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsvam.exe > nul
        237⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        235⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        235⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        235⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ASHMAI~1.EXE > nul
        235⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        233⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        233⤵
        
        PID:544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        233⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgrdam.exe > nul
        233⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        231⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        231⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        231⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsvam.exe > nul
        231⤵
        
        PID:316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        229⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        229⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        229⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVGUPS~1.EXE > nul
        229⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        227⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        227⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        227⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        227⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        225⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        225⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        225⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        225⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        223⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        223⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        223⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVIRAR~1.EXE > nul
        223⤵
        
        PID:232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        221⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        221⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        221⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgectam.exe > nul
        221⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        219⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        219⤵
        
        PID:208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        219⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        219⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        217⤵
        
        PID:324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        217⤵
        
        PID:452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        217⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        217⤵
        
        PID:436
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        215⤵
        
        PID:556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        215⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        215⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        215⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        213⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        213⤵
        
        PID:656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        213⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        213⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        211⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        211⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        211⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        211⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        209⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        209⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        209⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgectam.exe > nul
        209⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        207⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        207⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        207⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        207⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        205⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        205⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        205⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVIRAR~1.EXE > nul
        205⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        203⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        203⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        203⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\aswupsrc.exe > nul
        203⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        201⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        201⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        201⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsvam.exe > nul
        201⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        199⤵
        
        PID:740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        199⤵
        
        PID:852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        199⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgrdam.exe > nul
        199⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        197⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        197⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        197⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        197⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        195⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        195⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        195⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        195⤵
        
        PID:224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        193⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        193⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        193⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVIRAR~1.EXE > nul
        193⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        191⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        191⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        191⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        191⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        189⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        189⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        189⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        189⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        187⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        187⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        187⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        187⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        185⤵
        
        PID:840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        185⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        185⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmgent.exe > nul
        185⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        183⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        183⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        183⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        183⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        181⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        181⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        181⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        181⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        179⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        179⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        179⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        179⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        177⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        177⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        177⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        177⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        175⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        175⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        175⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVIRAR~1.EXE > nul
        175⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        173⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        173⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        173⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        173⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        171⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        171⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        171⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        171⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        169⤵
        
        PID:544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        169⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        169⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgectam.exe > nul
        169⤵
        
        PID:224
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        167⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        167⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        167⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        167⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        165⤵
        
        PID:408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        165⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        165⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        165⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        163⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        163⤵
        
        PID:756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        163⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        163⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        161⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        161⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        161⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\aswupsrc.exe > nul
        161⤵
        
        PID:232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        159⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        159⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        159⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVGUPS~1.EXE > nul
        159⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        157⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        157⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        157⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmgent.exe > nul
        157⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        155⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        155⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        155⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\aswupsrc.exe > nul
        155⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        153⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        153⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        153⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        153⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        151⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        151⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        151⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        151⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        149⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        149⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        149⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsvam.exe > nul
        149⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        147⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        147⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        147⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        147⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        145⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        145⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        145⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        145⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        143⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        143⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        143⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        143⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        141⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        141⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        141⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        141⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        139⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        139⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        139⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVGUPS~1.EXE > nul
        139⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        137⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        137⤵
        
        PID:740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        137⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        137⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        135⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        135⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        135⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        135⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        133⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        133⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        133⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsvam.exe > nul
        133⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        131⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        131⤵
        
        PID:668
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        131⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        131⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        129⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        129⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        129⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        129⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        127⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        127⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        127⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        127⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        125⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        125⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        125⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        125⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        123⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        123⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        123⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        123⤵
        
        PID:376
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        121⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        121⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        121⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        121⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        119⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        119⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        119⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        119⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        117⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        117⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        117⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        117⤵
        
        PID:452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        115⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        115⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        115⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgectam.exe > nul
        115⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        113⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        113⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        113⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        113⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        111⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        111⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        111⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        111⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        109⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        109⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        109⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        109⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        107⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        107⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        107⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        107⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        105⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        105⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        105⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\aswupsrc.exe > nul
        105⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        103⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        103⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        103⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        103⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        101⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        101⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        101⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsvam.exe > nul
        101⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        99⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        99⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        99⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgectam.exe > nul
        99⤵
        
        PID:232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        97⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        97⤵
        
        PID:768
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        97⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        97⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        95⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        95⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        95⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        95⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        93⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        93⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        93⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVIRAR~1.EXE > nul
        93⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        91⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        91⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        91⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        91⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        89⤵
        
        PID:704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        89⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        89⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        89⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        87⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        87⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        87⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        87⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        85⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        85⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        85⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        85⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        83⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        83⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        83⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        83⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        81⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        81⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        81⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        81⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        79⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        79⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        79⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        79⤵
        
        PID:732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        77⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        77⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        77⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVGUPS~1.EXE > nul
        77⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        75⤵
        
        PID:232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        75⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        75⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmgent.exe > nul
        75⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        73⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        73⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        73⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        73⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        71⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        71⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        71⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmgent.exe > nul
        71⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        69⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        69⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        69⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        69⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        67⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        67⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        67⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        67⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        65⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        65⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        65⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ASHMAI~1.EXE > nul
        65⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        63⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        63⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        63⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        63⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        61⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        61⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        61⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmgent.exe > nul
        61⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        59⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        59⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        59⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        59⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        57⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        57⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        57⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\aswupsrc.exe > nul
        57⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        55⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        55⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        55⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgrdam.exe > nul
        55⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        53⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        53⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        53⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        53⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        51⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        51⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        51⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        51⤵
        
        PID:408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        49⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        49⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        49⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgscnr.exe > nul
        49⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        47⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        47⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        47⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        47⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        45⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        45⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        45⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        45⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        43⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        43⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        43⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        43⤵
        
        PID:852
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        41⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        41⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        41⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVIRAR~1.EXE > nul
        41⤵
        
        PID:732
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        39⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        39⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        39⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgrdam.exe > nul
        39⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        37⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        37⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        37⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVGUPS~1.EXE > nul
        37⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        35⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        35⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        35⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ASHMAI~1.EXE > nul
        35⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        33⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        33⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        33⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        33⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        31⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        31⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:460
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        29⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgectam.exe > nul
        29⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        27⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        27⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        25⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        25⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        23⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        23⤵
        
        PID:920
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        21⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        21⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        19⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        19⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        17⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVIRAR~1.EXE > nul
        17⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        15⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        15⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        13⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        13⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        11⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsvam.exe > nul
        11⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        9⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        9⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        7⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        7⤵
        
        PID:3456
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:4756
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        5⤵
        
        PID:5104
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        5⤵
        
        PID:4664
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.scr
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2D57D5~1.EXE > nul
    3⤵
    PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\avgmsva.exe

Filesize
73KB

MD5
2d57d5b3e5f2c05975e55437b817fece

SHA1
5180e06065681f3f3636c0eb22631147aaf03968

SHA256
8576a75c652dc9e6cd91c64aeeb3de8eedff58dea0ca89da19f36176314abfe4

SHA512
0a9439f4a28c00590f67f47344668ec5f3210f4a28a4cb9d88ee77e9c79e6025701752674c529e6aff44d1c3e478d795c8ddf2ad89892b8b2f001f06fb2f8d69

Download Submit
memory/1164-83-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/1300-0-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/1300-2-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/1300-1-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/1300-4-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/1364-84-0x0000000000600000-0x0000000000619000-memory.dmp

Filesize
100KB

Download
memory/2224-245-0x0000000000600000-0x0000000000619000-memory.dmp

Filesize
100KB

Download
memory/2376-7-0x0000000000600000-0x0000000000619000-memory.dmp

Filesize
100KB

Download
memory/2464-314-0x0000000000600000-0x0000000000619000-memory.dmp

Filesize
100KB

Download
memory/2492-74-0x0000000000600000-0x0000000000619000-memory.dmp

Filesize
100KB

Download
memory/3944-233-0x0000000000600000-0x0000000000619000-memory.dmp

Filesize
100KB

Download
memory/4052-73-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/4156-96-0x0000000000600000-0x0000000000619000-memory.dmp

Filesize
100KB

Download
memory/4932-171-0x0000000000600000-0x0000000000619000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads