50eaa48f1a8d618333b04a861bda39dc5f6cee5462a25a21e5e47396214b6a3a

Analysis

max time kernel
94s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5d1cf23744836108f37cdc2df4bba1f_JaffaCakes118.exe
Size

15KB
MD5

d5d1cf23744836108f37cdc2df4bba1f
SHA1

dbb0063e389aeeb9db51c273086fca1f8f6ba84d
SHA256

50eaa48f1a8d618333b04a861bda39dc5f6cee5462a25a21e5e47396214b6a3a
SHA512

c555c830626a25748f0da32cafeecf2d56cb314d5f080d2f3b5b0dc5fda5c2f4c665db99bcf99230464572a960f8eabc34e9ec510c5c50ddfa9d65984e97891f
SSDEEP

192:njuDdoRPlXZcHsd+GWRM3lpJurlwCPl3OrjXqCqUXm605j4QwqnDsYF0VbOVcvQP:ypotksd+GsHrln6j7hqo1O2vLwylRI

Score

10^/10

discovery evasion execution persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	d5d1cf23744836108f37cdc2df4bba1f_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2408-0-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/2408-4-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVGi = "C:\\WINDOWS\\AVGi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVGs = "C:\\WINDOWS\\AVGs.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVGuP = "C:\\WINDOWS\\AVGuP.exe"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\avgup.bat	d5d1cf23744836108f37cdc2df4bba1f_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5016	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
3656	taskkill.exe
232	taskkill.exe
1780	taskkill.exe
3596	taskkill.exe
4704	taskkill.exe
4580	taskkill.exe
4664	taskkill.exe
4640	taskkill.exe
2640	taskkill.exe
5056	taskkill.exe
5044	taskkill.exe
3228	taskkill.exe
3240	taskkill.exe
4192	taskkill.exe
3224	taskkill.exe
3784	taskkill.exe
1936	taskkill.exe
2688	taskkill.exe
5088	taskkill.exe
2744	taskkill.exe
4712	taskkill.exe
2472	taskkill.exe
3544	taskkill.exe
4432	taskkill.exe
4716	taskkill.exe
428	taskkill.exe
1360	taskkill.exe
4240	taskkill.exe
4496	taskkill.exe
5080	taskkill.exe
4732	taskkill.exe
4572	taskkill.exe
824	taskkill.exe
3360	taskkill.exe
1684	taskkill.exe
1652	taskkill.exe
1152	taskkill.exe
3236	taskkill.exe
4476	taskkill.exe
1228	taskkill.exe
1680	taskkill.exe
1860	taskkill.exe
324	taskkill.exe
4448	taskkill.exe
3300	taskkill.exe
404	taskkill.exe
4640	taskkill.exe
924	taskkill.exe
1728	taskkill.exe
4708	taskkill.exe
4828	taskkill.exe
1388	taskkill.exe
540	taskkill.exe
1588	taskkill.exe
4912	taskkill.exe
5000	taskkill.exe
4852	taskkill.exe
4300	taskkill.exe
3256	taskkill.exe
4288	taskkill.exe
1064	taskkill.exe
3436	taskkill.exe
3112	taskkill.exe
2564	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	3704	taskkill.exe
Token: SeDebugPrivilege	4448	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	4040	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	4440	taskkill.exe
Token: SeDebugPrivilege	3396	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	3016	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	3248	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	4512	taskkill.exe
Token: SeDebugPrivilege	4720	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	4464	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	3428	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	3780	taskkill.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	4816	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	3724	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 4568	2408	d5d1cf23744836108f37cdc2df4bba1f_JaffaCakes118.exe	85
PID 2408 wrote to memory of 4568	2408	d5d1cf23744836108f37cdc2df4bba1f_JaffaCakes118.exe	85
PID 2408 wrote to memory of 4568	2408	d5d1cf23744836108f37cdc2df4bba1f_JaffaCakes118.exe	85
PID 4568 wrote to memory of 892	4568	cmd.exe	87
PID 4568 wrote to memory of 892	4568	cmd.exe	87
PID 4568 wrote to memory of 892	4568	cmd.exe	87
PID 4568 wrote to memory of 2812	4568	cmd.exe	88
PID 4568 wrote to memory of 2812	4568	cmd.exe	88
PID 4568 wrote to memory of 2812	4568	cmd.exe	88
PID 4568 wrote to memory of 3556	4568	cmd.exe	89
PID 4568 wrote to memory of 3556	4568	cmd.exe	89
PID 4568 wrote to memory of 3556	4568	cmd.exe	89
PID 4568 wrote to memory of 2520	4568	cmd.exe	90
PID 4568 wrote to memory of 2520	4568	cmd.exe	90
PID 4568 wrote to memory of 2520	4568	cmd.exe	90
PID 4568 wrote to memory of 3364	4568	cmd.exe	92
PID 4568 wrote to memory of 3364	4568	cmd.exe	92
PID 4568 wrote to memory of 3364	4568	cmd.exe	92
PID 4568 wrote to memory of 396	4568	cmd.exe	94
PID 4568 wrote to memory of 396	4568	cmd.exe	94
PID 4568 wrote to memory of 396	4568	cmd.exe	94
PID 4568 wrote to memory of 2340	4568	cmd.exe	95
PID 4568 wrote to memory of 2340	4568	cmd.exe	95
PID 4568 wrote to memory of 2340	4568	cmd.exe	95
PID 4568 wrote to memory of 3860	4568	cmd.exe	96
PID 4568 wrote to memory of 3860	4568	cmd.exe	96
PID 4568 wrote to memory of 3860	4568	cmd.exe	96
PID 4568 wrote to memory of 2636	4568	cmd.exe	97
PID 4568 wrote to memory of 2636	4568	cmd.exe	97
PID 4568 wrote to memory of 2636	4568	cmd.exe	97
PID 4568 wrote to memory of 3420	4568	cmd.exe	98
PID 4568 wrote to memory of 3420	4568	cmd.exe	98
PID 4568 wrote to memory of 3420	4568	cmd.exe	98
PID 4568 wrote to memory of 3704	4568	cmd.exe	99
PID 4568 wrote to memory of 3704	4568	cmd.exe	99
PID 4568 wrote to memory of 3704	4568	cmd.exe	99
PID 4568 wrote to memory of 4448	4568	cmd.exe	100
PID 4568 wrote to memory of 4448	4568	cmd.exe	100
PID 4568 wrote to memory of 4448	4568	cmd.exe	100
PID 4568 wrote to memory of 220	4568	cmd.exe	101
PID 4568 wrote to memory of 220	4568	cmd.exe	101
PID 4568 wrote to memory of 220	4568	cmd.exe	101
PID 4568 wrote to memory of 760	4568	cmd.exe	102
PID 4568 wrote to memory of 760	4568	cmd.exe	102
PID 4568 wrote to memory of 760	4568	cmd.exe	102
PID 4568 wrote to memory of 4640	4568	cmd.exe	103
PID 4568 wrote to memory of 4640	4568	cmd.exe	103
PID 4568 wrote to memory of 4640	4568	cmd.exe	103
PID 4568 wrote to memory of 1844	4568	cmd.exe	104
PID 4568 wrote to memory of 1844	4568	cmd.exe	104
PID 4568 wrote to memory of 1844	4568	cmd.exe	104
PID 4568 wrote to memory of 4156	4568	cmd.exe	105
PID 4568 wrote to memory of 4156	4568	cmd.exe	105
PID 4568 wrote to memory of 4156	4568	cmd.exe	105
PID 4568 wrote to memory of 1900	4568	cmd.exe	106
PID 4568 wrote to memory of 1900	4568	cmd.exe	106
PID 4568 wrote to memory of 1900	4568	cmd.exe	106
PID 4568 wrote to memory of 968	4568	cmd.exe	107
PID 4568 wrote to memory of 968	4568	cmd.exe	107
PID 4568 wrote to memory of 968	4568	cmd.exe	107
PID 4568 wrote to memory of 2124	4568	cmd.exe	108
PID 4568 wrote to memory of 2124	4568	cmd.exe	108
PID 4568 wrote to memory of 2124	4568	cmd.exe	108
PID 4568 wrote to memory of 4040	4568	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\d5d1cf23744836108f37cdc2df4bba1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5d1cf23744836108f37cdc2df4bba1f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\avgup.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    PID:892
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v AVGi /t REG_SZ /d C:\WINDOWS\AVGi.exe /f
    3⤵
    - Adds Run key to start application
    PID:2812
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v AVGs /t REG_SZ /d C:\WINDOWS\AVGs.exe /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3556
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v AVGuP /t REG_SZ /d C:\WINDOWS\AVGuP.exe /f
    3⤵
    - Adds Run key to start application
    PID:2520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32kui.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32krn.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kav.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kavmm.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avp.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgemc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgamsvr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgupsvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgw.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashdisp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashmaisv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashserv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im aswupdsv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ewidoctrl.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guard.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im gcasdtserv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msmpeng.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcafee.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mghml.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im outpost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im isafe.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im minilog.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3248
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zonealarm.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zlclient.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im updclient.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccapp.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navw32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navapsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccsetmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cccproxy.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccapp.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccevtmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npfmntor.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im logexprt.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nisum.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im issvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cpdclnt.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavprsrv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavprot.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avengine.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im apvxdwin.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im webproxy.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avguard.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgnt.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im shed.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avsched32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sccomm.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spiderml.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sgmain.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spywareguard.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kpf4gui.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kpf4ss.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcdash.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcdetect.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcregwiz.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcinfo.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mghtml.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im oasclnt.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfagent.exe
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfconsole.exe
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfservice.exe
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpftray.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfwizard.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mvtx.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im _avp32.exe
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im _avpcc.exe
    3⤵
    - Kills process with taskkill
    PID:4716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im _avpm.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ackwin32.exe
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im advxdwin.exe
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im agentsvr.exe
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im agv.exe
    3⤵
    PID:3692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ahnsd.exe
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im alertsvc.exe
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im alogserv.exe
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im amon.exe
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im amon9x.exe
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im amonavp32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im anti -trojan.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im antivir.exe
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im antivirus.exe
    3⤵
    PID:528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ants.exe
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im antssircam.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im apimonitor.exe
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im aplica32.exe
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im apvxdwin.exe
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atcon.exe
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atguard.exe
    3⤵
    PID:220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ats.exe
    3⤵
    - Kills process with taskkill
    PID:3236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atscan.exe
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atupdater.exe
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atwatch.exe
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im autodown.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im autotrace.exe
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im autoupdate.exe
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avconsol.exe
    3⤵
    - Kills process with taskkill
    PID:3300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ave32.exe
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc32.exe
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgctrl.exe
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv9.exe
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv9schedapp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgw.exe
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkpop.exe
    3⤵
    - Kills process with taskkill
    PID:1680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkservice.exe
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkwcl9.exe
    3⤵
    PID:912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkwctl9.exe
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avnt.exe
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avp.exe
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avp32.exe
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpcc.exe
    3⤵
    - Kills process with taskkill
    PID:4572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im AVPCC Service.exe
    3⤵
    PID:948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpccavpm.exe
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpdos32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpexec.exe
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpinst.exe
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpm.exe
    3⤵
    PID:376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpmonitor.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avptc.exe
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avptc32.exe
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpupd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpupdates.exe
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avrescue.exe
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avsched32.exe
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avsynmgr.exe
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avwin95.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avwinnt.exe
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avwupd32.exe
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxgui.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxinit.exe
    3⤵
    PID:956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxlive.exe
    3⤵
    PID:516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxmonitor9x.exe
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxmonitornt.exe
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxnews.exe
    3⤵
    PID:3440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxquar.exe
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxsch.exe
    3⤵
    - Kills process with taskkill
    PID:5056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxw.exe
    3⤵
    - Kills process with taskkill
    PID:232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BACKLOG.exe
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bd_professional.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bidef.exe
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bidserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bipcp.exe
    3⤵
    - Kills process with taskkill
    PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bisp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im blackd.exe
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im blackice.exe
    3⤵
    PID:408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im blackiceblackd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BootWarn.exe
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im borg2.exe
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bs120.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bullguard.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccApp.exe
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccevtmgr.exe
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccIMScan.exe
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccPwdSrc.exe
    3⤵
    PID:3904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccpxysvc.exe
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccSetMgr.exe
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cdp.exe
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cfiadmin.exe
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cfiaudit.exe
    3⤵
    - Kills process with taskkill
    PID:540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cfinet.exe
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cfinet32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im claw95.exe
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im claw95cf.exe
    3⤵
    - Kills process with taskkill
    PID:5044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clean.exe
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cleaner.exe
    3⤵
    PID:376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cleaner3.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cleanpc.exe
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmgrdian.exe
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmon016.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im codered.exe
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im connectionmonitor.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conseal.exe
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cpd.exe
    3⤵
    PID:528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cpf9x206.exe
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ctrl.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defalert.exe
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defence.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defense.exe
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defscangui.exe
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defwatch.exe
    3⤵
    PID:220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im deputy.exe
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im doors.exe
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dpf.exe
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im drwatson.exe
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im drweb32.exe
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dvp95.exe
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dvp95_0.exe
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ecengine.exe
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im edisk.exe
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im efpeadm.exe
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im esafe.exe
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im escanh95.exe
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im escanhnt.exe
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im escanv95.exe
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im espwatch.exe
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im etrustcipe.exe
    3⤵
    - Kills process with taskkill
    PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im evpn.exe
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im exantivirus -cnet.exe
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fameh32.exe
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fast.exe
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fch32.exe
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fih32.exe
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im findviru.exe
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im firewall.exe
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fix-it.exe
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im flowprotector.exe
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fnrb32.exe
    3⤵
    - Kills process with taskkill
    PID:3784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fp -win.exe
    3⤵
    PID:540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fp -win_trial.exe
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fprot.exe
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im frw.exe
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsaa.exe
    3⤵
    - Kills process with taskkill
    PID:1936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsav32.exe
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsav95.exe
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsave32.exe
    3⤵
    PID:376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsgk32.exe
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsm32.exe
    3⤵
    - Kills process with taskkill
    PID:3228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsma32.exe
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsmb32.exe
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fwenc.exe
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im gbmenu.exe
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im gbpoll.exe
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im gedit.exe
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im generics.exe
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im grief3878.exe
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guard.exe
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guarddog.exe
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HackerEliminator.exe
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iamapp.exe
    3⤵
    PID:3440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iamserv.exe
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iamstats.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ibmasn.exe
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ibmavsp.exe
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icload95.exe
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icloadnt.exe
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icmon.exe
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icsupp95.exe
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icsuppnt.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iface.exe
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ifw2000.exe
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im inoculateit.exe
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iomon98.exe
    3⤵
    - Kills process with taskkill
    PID:924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iparmor.exe
    3⤵
    PID:868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iris.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im isrv95.exe
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im jammer.exe
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im jedi.exe
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kavpf.exe
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ldnetmon.exe
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ldpromenu.exe
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ldscan.exe
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im localnet.exe
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lockdown.exe
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lookout.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im luall.exe
    3⤵
    PID:748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lucomserver.exe
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im luspt.exe
    3⤵
    - Kills process with taskkill
    PID:1588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcafee.exe
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcagent.exe
    3⤵
    PID:376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcmnhdlr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcshield.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcshieldvvstat.exe
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mctool.exe
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcupdate.exe
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcvsrte.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcvsshld.exe
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mgavrtcl.exe
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mgavrte.exe
    3⤵
    - Kills process with taskkill
    PID:1360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mghtml.exe
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mgui.exe
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im minilog.exe
    3⤵
    PID:516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mon.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im monitor.exe
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im monsys32.exe
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im monsysnt.exe
    3⤵
    PID:3440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im moolive.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfservice.exe
    3⤵
    - Kills process with taskkill
    PID:3360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpftray.exe
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mrflux.exe
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo32.exe
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mwatch.exe
    3⤵
    PID:968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mxtask.exe
    3⤵
    PID:428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im n32scanw.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nav.exe
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im NAV DefAlert.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nav32.exe
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navalert.exe
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navap.exe
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navapsvc.exe
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im NAVAPW32.exe
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navauto -protect.exe
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navdx.exe
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navengnavex15.exe
    3⤵
    - Kills process with taskkill
    PID:3596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navlu32.exe
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navnt.exe
    3⤵
    - Kills process with taskkill
    PID:2688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navrunr.exe
    3⤵
    PID:912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navstub.exe
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navw32.exe
    3⤵
    - Kills process with taskkill
    PID:4704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Navwnt.exe
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nc2000.exe
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ndd32.exe
    3⤵
    - Kills process with taskkill
    PID:4912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im neomonitor.exe
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im neowatchlog.exe
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im net2000.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netarmor.exe
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netcommando.exe
    3⤵
    - Kills process with taskkill
    PID:4580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netinfo.exe
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netmon.exe
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netpro.exe
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netprotect.exe
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netscanpro.exe
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netspyhunter -1.2.exe
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netstat.exe
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netutils.exe
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netutils].exe
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nimda.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nisserv.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nisum.exe
    3⤵
    PID:640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nisumnisservnisum.exe
    3⤵
    PID:956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nmain.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32.exe
    3⤵
    PID:456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norman.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norman_32.exe
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norman_av.exe
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norman32.exe
    3⤵
    PID:212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im normanav.exe
    3⤵
    PID:232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im normist.exe
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton.exe
    3⤵
    - Kills process with taskkill
    PID:1684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Norton Auto-Protect.exe
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton_av.exe
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nortonav.exe
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im notstart.exe
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npfmessenger.exe
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npfw.exe
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npfw32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nprotect.exe
    3⤵
    PID:796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npscheck.exe
    3⤵
    - Kills process with taskkill
    PID:1728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npssvc.exe
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nresq32.exe
    3⤵
    PID:924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nsched32.exe
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nschednt.exe
    3⤵
    - Kills process with taskkill
    PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nsplugin.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntrtscan.exe
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntvdm.exe
    3⤵
    - Kills process with taskkill
    PID:5088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntxconfig.exe
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nui.exe
    3⤵
    PID:912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nupgrade.exe
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nvarch16.exe
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nvc95.exe
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nvsvc32.exe
    3⤵
    - Kills process with taskkill
    PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nwservice.exe
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nwtool16.exe
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im offguard.exe
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OPScan.exe
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ostronet.exe
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im outpost.exe
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im padmin.exe
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im panda.exe
    3⤵
    - Kills process with taskkill
    PID:4708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pandaav.exe
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im panixk.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pav.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavcl.exe
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavproxy.exe
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavsched.exe
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavw.exe
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pc -cillan.exe
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pc -cillin.exe
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccclient.exe
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccguide.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pcciomon.exe
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccntmon.exe
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccwin97.exe
    3⤵
    PID:324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccwin98.exe
    3⤵
    - Kills process with taskkill
    PID:3256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pcfwallicon.exe
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pcscan.exe
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im periscope.exe
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im persfw.exe
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pf2.exe
    3⤵
    - Kills process with taskkill
    PID:4496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pfwadmin.exe
    3⤵
    - Kills process with taskkill
    PID:5000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pingscan.exe
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im platin.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pop3trap.exe
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im poproxy.exe
    3⤵
    PID:428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im portdetective.exe
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im portmonitor.exe
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ppinupdt.exe
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pptbc.exe
    3⤵
    - Kills process with taskkill
    PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ppvstop.exe
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im processmonitor.exe
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im procexplorerv10#.exe
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im programauditor.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im proport.exe
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im protectx.exe
    3⤵
    - Kills process with taskkill
    PID:4240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pspf.exe
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im purge.exe
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pview95.exe
    3⤵
    PID:548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pw32.exe
    3⤵
    PID:452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im qconsole.exe
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rav.exe
    3⤵
    - Kills process with taskkill
    PID:4852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rav7.exe
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rav7win.exe
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im realmon.exe
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regrun2.exe
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rescue.exe
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rrguard.exe
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rshell.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rtvscn95.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rulaunch.exe
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im safeweb.exe
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SAVscan.exe
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sbserv.exe
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SBservice.exe
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scan.exe
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scan32.exe
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scan95.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scanpm.exe
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scrscan.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sd.exe
    3⤵
    - Kills process with taskkill
    PID:404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SENS.exe
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im serv95.exe
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sfc.exe
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sh.exe
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sharedaccess.exe
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im shn.exe
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im smc.exe
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sofi.exe
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sophos.exe
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sophos_av.exe
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sophosav.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spf.exe
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sphinx.exe
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spy.exe
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spygate.exe
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spyx.exe
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spyxx.exe
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im srwatch.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ss3edit.exe
    3⤵
    - Kills process with taskkill
    PID:4712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im st2.exe
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im supftrl.exe
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im supp95.exe
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im supporter5.exe
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sweep95.exe
    3⤵
    PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sweepnet.exe
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sweepsrv.sys.exe
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sweepsrv.sysvshwin32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im swnetsup.exe
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symantec.exe
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Symantec Core LC.exe
    3⤵
    - Kills process with taskkill
    PID:2640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symlcsvc.exe
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symproxysvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symtray.exe
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysedit.exe
    3⤵
    PID:8
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmon.exe
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taumon.exe
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tauscan.exe
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tbscan.exe
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tcm.exe
    3⤵
    - Kills process with taskkill
    PID:5080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tctca.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tds -3.exe
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tds2 -98.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tds2 -nt.exe
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tfak.exe
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tfak5.exe
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tgbob.exe
    3⤵
    - Kills process with taskkill
    PID:4476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im trendmicro.exe
    3⤵
    - Kills process with taskkill
    PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im trjscan.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im trojantrap3.exe
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im TrueVector.exe
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im undoboot.exe
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im update.exe
    3⤵
    PID:396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbcmserv.exe
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbcons.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbust.exe
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbwin9x.exe
    3⤵
    - Kills process with taskkill
    PID:4288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbwinntw.exe
    3⤵
    PID:640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vccmserv.exe
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vcontrol.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vet32.exe
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vet95.exe
    3⤵
    - Kills process with taskkill
    PID:324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vettray.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vir -help.exe
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im virus.exe
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im virusmdpersonalfirewall.exe
    3⤵
    PID:4156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vnlan300.exe
    3⤵
    - Kills process with taskkill
    PID:3544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vnpc3000.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vpc32.exe
    3⤵
    - Kills process with taskkill
    PID:4432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vpfw30s.exe
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vptray.exe
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vscan40.exe
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsched.exe
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsecomr.exe
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vshwin32.exe
    3⤵
    - Kills process with taskkill
    PID:4664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vshwin32vbcmserv.exe
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsmain.exe
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsmon.exe
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsstat.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vswin9xe.exe
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vswinntse.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im w9x.exe
    3⤵
    - Kills process with taskkill
    PID:1064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im watchdog.exe
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im webscanx.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im webtrap.exe
    3⤵
    - Kills process with taskkill
    PID:3436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wfindv32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wgfe95.exe
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im whoswatchingme.exe
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wimmun32.exe
    3⤵
    PID:916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winrecon.exe
    3⤵
    PID:864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winroute.exe
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winsfcm.exe
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wnt.exe
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wqkmm3878.exe
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wradmin.exe
    3⤵
    - Kills process with taskkill
    PID:3224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wrctrl.exe
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wsbgate.exe
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wyvernworksfirewall.exe
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zapro.exe
    3⤵
    - Kills process with taskkill
    PID:3656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zatutor.exe
    3⤵
    - Kills process with taskkill
    PID:4828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zauinst.exe
    3⤵
    PID:376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zonealarm.exe
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\net.exe
    net stop "central de seguranτa"
    3⤵
    PID:3276
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "central de seguranτa"
      4⤵
      PID:4916
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:3692
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:4548
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\avgup.bat

Filesize
19KB

MD5
c90df8f993ff49a837181d19282661d2

SHA1
22b36978dae47c654ce1c78b8f88001413f0b7bc

SHA256
007bcf42c1d05bd8d562fb7974db500646a9f7b6ed87e60bb2c388dd6653e9c3

SHA512
9208e321c7905dbb350557a6730b269b00dd1ec3417e77c3c90e95956a627282d32dd1019963c7055432409ab3e5ea9edfa9925a9769418896ef602a6b40489b

Download Submit
memory/2408-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2408-4-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads