8b8e66d39c2aef111ec17621167dc32c20635e09080bb2340a76fb5a779a60da

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe
Size

19KB
MD5

72efb8ce495abcc5d0513eca8d5cd07a
SHA1

5a4653a620a54e229acdc9774e122d201292564c
SHA256

8b8e66d39c2aef111ec17621167dc32c20635e09080bb2340a76fb5a779a60da
SHA512

74259b52f6761413816e1755708bcde23e730e93f3c828aff68112632df1ddea927faa91927314485c78f5fe2f4b3c15ef7735900877e70fcdce9774fe6876a6
SSDEEP

192:rjBPHGypoknDzNDL8EwD1yxDhsC+FpYKkvyFWjcCDi:rjx5XJL8EqoxNZ+FpY/Kwjre

Score

10^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2456	netsh.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3588	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
3660	taskkill.exe
3060	taskkill.exe
388	taskkill.exe
3644	taskkill.exe
2184	taskkill.exe
4460	taskkill.exe
1448	taskkill.exe
4380	taskkill.exe
1232	taskkill.exe
3628	taskkill.exe
2040	taskkill.exe
2164	taskkill.exe
2648	taskkill.exe
4568	taskkill.exe
4936	taskkill.exe
3556	taskkill.exe
3572	taskkill.exe
1468	taskkill.exe
2988	taskkill.exe
4020	taskkill.exe
3532	taskkill.exe
5012	taskkill.exe
1404	taskkill.exe
4228	taskkill.exe
2776	taskkill.exe
3768	taskkill.exe
4688	taskkill.exe
4312	taskkill.exe
1136	taskkill.exe
2100	taskkill.exe
1608	taskkill.exe
5000	taskkill.exe
4880	taskkill.exe
2548	taskkill.exe
3672	taskkill.exe
1308	taskkill.exe
1008	taskkill.exe
4704	taskkill.exe
3196	taskkill.exe
4432	taskkill.exe
1568	taskkill.exe
3972	taskkill.exe
752	taskkill.exe
920	taskkill.exe
1716	taskkill.exe
4000	taskkill.exe
5076	taskkill.exe
1472	taskkill.exe
2084	taskkill.exe
1028	taskkill.exe
2716	taskkill.exe
552	taskkill.exe
2744	taskkill.exe
4204	taskkill.exe
2896	taskkill.exe
4072	taskkill.exe
1124	taskkill.exe
4956	taskkill.exe
956	taskkill.exe
3772	taskkill.exe
2040	taskkill.exe
2548	taskkill.exe
324	taskkill.exe
208	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	4880	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	3672	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	3196	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	324	taskkill.exe
Token: SeDebugPrivilege	208	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	5076	taskkill.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 3548	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	85
PID 3104 wrote to memory of 3548	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	85
PID 3104 wrote to memory of 3548	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	85
PID 3548 wrote to memory of 3448	3548	cmd.exe	86
PID 3548 wrote to memory of 3448	3548	cmd.exe	86
PID 3548 wrote to memory of 3448	3548	cmd.exe	86
PID 3448 wrote to memory of 3672	3448	net.exe	87
PID 3448 wrote to memory of 3672	3448	net.exe	87
PID 3448 wrote to memory of 3672	3448	net.exe	87
PID 3104 wrote to memory of 3000	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	88
PID 3104 wrote to memory of 3000	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	88
PID 3104 wrote to memory of 3000	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	88
PID 3000 wrote to memory of 2456	3000	cmd.exe	89
PID 3000 wrote to memory of 2456	3000	cmd.exe	89
PID 3000 wrote to memory of 2456	3000	cmd.exe	89
PID 3104 wrote to memory of 1108	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	91
PID 3104 wrote to memory of 1108	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	91
PID 3104 wrote to memory of 1108	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	91
PID 1108 wrote to memory of 1140	1108	cmd.exe	92
PID 1108 wrote to memory of 1140	1108	cmd.exe	92
PID 1108 wrote to memory of 1140	1108	cmd.exe	92
PID 1140 wrote to memory of 1752	1140	net.exe	93
PID 1140 wrote to memory of 1752	1140	net.exe	93
PID 1140 wrote to memory of 1752	1140	net.exe	93
PID 3104 wrote to memory of 2528	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	94
PID 3104 wrote to memory of 2528	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	94
PID 3104 wrote to memory of 2528	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	94
PID 2528 wrote to memory of 3248	2528	cmd.exe	95
PID 2528 wrote to memory of 3248	2528	cmd.exe	95
PID 2528 wrote to memory of 3248	2528	cmd.exe	95
PID 3248 wrote to memory of 4952	3248	net.exe	96
PID 3248 wrote to memory of 4952	3248	net.exe	96
PID 3248 wrote to memory of 4952	3248	net.exe	96
PID 3104 wrote to memory of 2324	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	97
PID 3104 wrote to memory of 2324	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	97
PID 3104 wrote to memory of 2324	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	97
PID 2324 wrote to memory of 3588	2324	cmd.exe	98
PID 2324 wrote to memory of 3588	2324	cmd.exe	98
PID 2324 wrote to memory of 3588	2324	cmd.exe	98
PID 3104 wrote to memory of 3004	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	99
PID 3104 wrote to memory of 3004	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	99
PID 3104 wrote to memory of 3004	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	99
PID 3004 wrote to memory of 1008	3004	cmd.exe	100
PID 3004 wrote to memory of 1008	3004	cmd.exe	100
PID 3004 wrote to memory of 1008	3004	cmd.exe	100
PID 3104 wrote to memory of 4180	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	103
PID 3104 wrote to memory of 4180	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	103
PID 3104 wrote to memory of 4180	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	103
PID 4180 wrote to memory of 4312	4180	cmd.exe	104
PID 4180 wrote to memory of 4312	4180	cmd.exe	104
PID 4180 wrote to memory of 4312	4180	cmd.exe	104
PID 3104 wrote to memory of 1232	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	105
PID 3104 wrote to memory of 1232	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	105
PID 3104 wrote to memory of 1232	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	105
PID 1232 wrote to memory of 4968	1232	cmd.exe	106
PID 1232 wrote to memory of 4968	1232	cmd.exe	106
PID 1232 wrote to memory of 4968	1232	cmd.exe	106
PID 3104 wrote to memory of 4604	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	107
PID 3104 wrote to memory of 4604	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	107
PID 3104 wrote to memory of 4604	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	107
PID 4604 wrote to memory of 4148	4604	cmd.exe	108
PID 4604 wrote to memory of 4148	4604	cmd.exe	108
PID 4604 wrote to memory of 4148	4604	cmd.exe	108
PID 3104 wrote to memory of 3904	3104	72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe	110

C:\Users\Admin\AppData\Local\Temp\72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72efb8ce495abcc5d0513eca8d5cd07a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @net stop wscsvc >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:3672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @netsh firewall set opmode mode = disable >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode = disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @net stop SharedAccess >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:1752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @net stop wscsvc >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @sc config wscsvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgcc.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgcc.exe >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgamsvr.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgamsvr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgupsvc.exe >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgupsvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgw.exe >nul
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgw.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgcc32.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgctrl.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgctrl.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgserv.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgserv9.exe >nul
  2⤵
  PID:4460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv9.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgserv9schedapp.exe >nul
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv9schedapp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgw.exe >nul
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgw.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgemc.exe >nul
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgemc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashwebsv.exe >nul
  2⤵
  PID:1020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashdisp.exe >nul
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashdisp.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashmaisv.exe >nul
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashmaisv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashserv.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im aswUpdSv.exe >nul
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im aswUpdSv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashwebsv.exe >nul
  2⤵
  PID:4080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im savscan.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im savscan.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im symwsc.exe >nul
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symwsc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im norton.exe >nul
  2⤵
  PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im Norton Auto-Protect.exe >nul
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Norton Auto-Protect.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im norton_av.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton_av.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im norton_av.exe >nul
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton_av.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im nortonav.exe >nul
  2⤵
  PID:4204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nortonav.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ccsetmgr.exe >nul
  2⤵
  PID:1308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccsetmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ccevtmgr.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccevtmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashwebsv.exe >nul
  2⤵
  PID:4908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashwebsv.exe >nul
  2⤵
  PID:208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashdisp.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashdisp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashmaisv.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashmaisv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashserv.exe >nul
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im aswUpdSv.exe >nul
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im aswUpdSv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im ashwebsv.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avadmin.exe >nul
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avadmin.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avcenter.exe >nul
  2⤵
  PID:3728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avcenter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgnt.exe >nul
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgnt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avguard.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avguard.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avnotify.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avnotify.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avscan.exe >nul
  2⤵
  PID:3572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avscan.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im guardgui.exe >nul
  2⤵
  PID:752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guardgui.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im nod32krn.exe >nul
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32krn.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im nod32kui.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32kui.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im clamscan.exe >nul
  2⤵
  PID:4888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clamscan.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im clamTray.exe >nul
  2⤵
  PID:4812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clamTray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im clamWin.exe >nul
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clamWin.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im freshclam.exe >nul
  2⤵
  PID:996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im freshclam.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im oladdin.exe >nul
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im oladdin.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im sigtool.exe >nul
  2⤵
  PID:548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sigtool.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im w9xpopen.exe >nul
  2⤵
  PID:4704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im w9xpopen.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im Wclose.exe >nul
  2⤵
  PID:4068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Wclose.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im cmgrdian.exe >nul
  2⤵
  PID:3672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmgrdian.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im oladdin.exe >nul
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im oladdin.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im alogserv.exe >nul
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im alogserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im mcshield.exe >nul
  2⤵
  PID:3196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcshield.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im vshwin32.exe >nul
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vshwin32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avconsol.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avconsol.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im vsstat.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsstat.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im vsstat.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsstat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avsynmgr.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avsynmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avcenter.exe >nul
  2⤵
  PID:4160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avcenter.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avcmd.exe >nul
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avcmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avconfig.exe >nul
  2⤵
  PID:864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avconfig.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avguard.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avguard.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avgnt.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgnt.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avnotify.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avnotify.exe
    3⤵
    - Kills process with taskkill
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im avscan.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avscan.exe
    3⤵
    - Kills process with taskkill
    PID:388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im guardgui.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guardgui.exe
    3⤵
    PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im licmgr.exe >nul
  2⤵
  PID:3484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im licmgr.exe
    3⤵
    - Kills process with taskkill
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im sched.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sched.exe
    3⤵
    - Kills process with taskkill
    PID:3532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im preupd.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im preupd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im MsMpEng.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @taskkill /f /im MSASCui.exe >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSASCui.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:5012