ardamax | e36d1b390e6fd37dfa4dd0bab62322eba92b98a4d1be41e1918c91d5f6250dec

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe
Size

606KB
MD5

79fff9307d2080c9af29ca8d28f7ec47
SHA1

bb9fe640102bd3eba7956073180d7ff16e8755cf
SHA256

e36d1b390e6fd37dfa4dd0bab62322eba92b98a4d1be41e1918c91d5f6250dec
SHA512

a5c0808ccb685cc8342129249461e6dfb97b23ec4e6464c0d71c3529fabaca812fcc64f5de829aad8e2b5a7b50628c68fc61e358e7c0ccd5b22aac712814408e
SSDEEP

12288:whaCEJNB7YpOgynhbTU3eS9B6gDpdImyxR5LmTofnP5BVENGWAKe:wwCINBMph4hnUuSfpdC5gofnPxEp+

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001925e-52.dat	family_ardamax

Executes dropped EXE 4 IoCs

pid	Process
2164	teste3.exe
580	3201977.exe
2804	3754476.exe
2464	NIH.exe

Loads dropped DLL 13 IoCs

pid	Process
2168	cmd.exe
2168	cmd.exe
2164	teste3.exe
2164	teste3.exe
580	3201977.exe
2164	teste3.exe
580	3201977.exe
2164	teste3.exe
580	3201977.exe
2464	NIH.exe
2464	NIH.exe
2804	3754476.exe
1812	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kill = "c:\\windows\\Install.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NIH.001	3201977.exe
File created	C:\Windows\SysWOW64\NIH.006	3201977.exe
File created	C:\Windows\SysWOW64\NIH.007	3201977.exe
File created	C:\Windows\SysWOW64\NIH.exe	3201977.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2804-58-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/files/0x00050000000195c5-49.dat	upx
behavioral1/memory/2804-66-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-68-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-69-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-70-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-71-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-87-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-91-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-92-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-93-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-94-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-95-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-96-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-97-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/2804-98-0x0000000000400000-0x0000000000484000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	NIH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3201977.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1516	taskkill.exe
1992	taskkill.exe
2636	taskkill.exe
296	taskkill.exe
2200	taskkill.exe
2924	taskkill.exe
2948	taskkill.exe
1688	taskkill.exe
1180	taskkill.exe
2756	taskkill.exe
1784	taskkill.exe
2236	taskkill.exe
1684	taskkill.exe
836	taskkill.exe
1656	taskkill.exe
1332	taskkill.exe
1860	taskkill.exe
2068	taskkill.exe
2352	taskkill.exe
1088	taskkill.exe
1988	taskkill.exe
2660	taskkill.exe
2820	taskkill.exe
1732	taskkill.exe
2276	taskkill.exe
2128	taskkill.exe
1724	taskkill.exe
2852	taskkill.exe
2972	taskkill.exe
2768	taskkill.exe
872	taskkill.exe
2008	taskkill.exe
2944	taskkill.exe
2836	taskkill.exe
2772	taskkill.exe
2408	taskkill.exe
2844	taskkill.exe
2412	taskkill.exe
2956	taskkill.exe
1292	taskkill.exe
2012	taskkill.exe
1532	taskkill.exe
1332	taskkill.exe
1816	taskkill.exe
1860	taskkill.exe
1508	taskkill.exe
2020	taskkill.exe
316	taskkill.exe
3000	taskkill.exe
1704	taskkill.exe
2488	taskkill.exe
2372	taskkill.exe
2708	taskkill.exe
2628	taskkill.exe
2960	taskkill.exe
904	taskkill.exe
1696	taskkill.exe
3044	taskkill.exe
2356	taskkill.exe
2088	taskkill.exe
1732	taskkill.exe
2500	taskkill.exe
1876	taskkill.exe
2180	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1584	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	3754476.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: 33	2464	NIH.exe
Token: SeIncBasePriorityPrivilege	2464	NIH.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	2096	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	2556	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2164	teste3.exe
2464	NIH.exe
2464	NIH.exe
2464	NIH.exe
2464	NIH.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2168	2512	79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2168	2512	79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2168	2512	79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2168	2512	79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2164	2168	cmd.exe	32
PID 2168 wrote to memory of 2164	2168	cmd.exe	32
PID 2168 wrote to memory of 2164	2168	cmd.exe	32
PID 2168 wrote to memory of 2164	2168	cmd.exe	32
PID 2164 wrote to memory of 1812	2164	teste3.exe	33
PID 2164 wrote to memory of 1812	2164	teste3.exe	33
PID 2164 wrote to memory of 1812	2164	teste3.exe	33
PID 2164 wrote to memory of 1812	2164	teste3.exe	33
PID 1812 wrote to memory of 2960	1812	cmd.exe	35
PID 1812 wrote to memory of 2960	1812	cmd.exe	35
PID 1812 wrote to memory of 2960	1812	cmd.exe	35
PID 1812 wrote to memory of 2960	1812	cmd.exe	35
PID 2164 wrote to memory of 580	2164	teste3.exe	36
PID 2164 wrote to memory of 580	2164	teste3.exe	36
PID 2164 wrote to memory of 580	2164	teste3.exe	36
PID 2164 wrote to memory of 580	2164	teste3.exe	36
PID 2164 wrote to memory of 2804	2164	teste3.exe	39
PID 2164 wrote to memory of 2804	2164	teste3.exe	39
PID 2164 wrote to memory of 2804	2164	teste3.exe	39
PID 2164 wrote to memory of 2804	2164	teste3.exe	39
PID 580 wrote to memory of 2464	580	3201977.exe	38
PID 580 wrote to memory of 2464	580	3201977.exe	38
PID 580 wrote to memory of 2464	580	3201977.exe	38
PID 580 wrote to memory of 2464	580	3201977.exe	38
PID 1812 wrote to memory of 2932	1812	cmd.exe	40
PID 1812 wrote to memory of 2932	1812	cmd.exe	40
PID 1812 wrote to memory of 2932	1812	cmd.exe	40
PID 1812 wrote to memory of 2932	1812	cmd.exe	40
PID 1812 wrote to memory of 1200	1812	cmd.exe	41
PID 1812 wrote to memory of 1200	1812	cmd.exe	41
PID 1812 wrote to memory of 1200	1812	cmd.exe	41
PID 1812 wrote to memory of 1200	1812	cmd.exe	41
PID 1812 wrote to memory of 1684	1812	cmd.exe	42
PID 1812 wrote to memory of 1684	1812	cmd.exe	42
PID 1812 wrote to memory of 1684	1812	cmd.exe	42
PID 1812 wrote to memory of 1684	1812	cmd.exe	42
PID 1812 wrote to memory of 1484	1812	cmd.exe	43
PID 1812 wrote to memory of 1484	1812	cmd.exe	43
PID 1812 wrote to memory of 1484	1812	cmd.exe	43
PID 1812 wrote to memory of 1484	1812	cmd.exe	43
PID 1812 wrote to memory of 1992	1812	cmd.exe	44
PID 1812 wrote to memory of 1992	1812	cmd.exe	44
PID 1812 wrote to memory of 1992	1812	cmd.exe	44
PID 1812 wrote to memory of 1992	1812	cmd.exe	44
PID 1812 wrote to memory of 2848	1812	cmd.exe	45
PID 1812 wrote to memory of 2848	1812	cmd.exe	45
PID 1812 wrote to memory of 2848	1812	cmd.exe	45
PID 1812 wrote to memory of 2848	1812	cmd.exe	45
PID 1812 wrote to memory of 2836	1812	cmd.exe	46
PID 1812 wrote to memory of 2836	1812	cmd.exe	46
PID 1812 wrote to memory of 2836	1812	cmd.exe	46
PID 1812 wrote to memory of 2836	1812	cmd.exe	46
PID 1812 wrote to memory of 2844	1812	cmd.exe	47
PID 1812 wrote to memory of 2844	1812	cmd.exe	47
PID 1812 wrote to memory of 2844	1812	cmd.exe	47
PID 1812 wrote to memory of 2844	1812	cmd.exe	47
PID 1812 wrote to memory of 2008	1812	cmd.exe	48
PID 1812 wrote to memory of 2008	1812	cmd.exe	48
PID 1812 wrote to memory of 2008	1812	cmd.exe	48
PID 1812 wrote to memory of 2008	1812	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt6818.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\teste3.exe
    teste3.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\8703729.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nod32krn.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nod32.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im kav.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im kavmm.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgemc.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgcc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgamsvr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgupsvc.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgw.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ashwebsv.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ashdisp.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ashmaisv.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ashserv.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ashwebsv.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im aswupdsv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ewidoctrl.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im guard.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im gcasdtserv.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im msmpeng.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcafee.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mghml.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im msiexec.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im outpost.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im isafe.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im minilog.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im zonealarm.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im zlclient.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im updclient.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccapp.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navw32.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norton.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navapsvc.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccsetmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cccproxy.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccapp.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccevtmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im npfmntor.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im logexprt.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nisum.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im issvc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cpdclnt.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pavprsrv.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pavprot.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avengine.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im apvxdwin.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im webproxy.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avguard.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgnt.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im shed.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avsched32.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sccomm.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spiderml.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sgmain.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spywareguard.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im kpf4gui.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im kpf4ss.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcdash.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcdetect.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcregwiz.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcinfo.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mghtml.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im oasclnt.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpfagent.exe
        5⤵
        
        PID:1880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpfconsole.exe
        5⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpfservice.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpftray.exe
        5⤵
        Kills process with taskkill
        
        PID:1532
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpfwizard.exe
        5⤵
        
        PID:3068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mvtx.exe
        5⤵
        
        PID:1516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im _avp32.exe
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im _avpcc.exe
        5⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im _avpm.exe
        5⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ackwin32.exe
        5⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im advxdwin.exe
        5⤵
        
        PID:912
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im agentsvr.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:616
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im agv.exe
        5⤵
        
        PID:2232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ahnsd.exe
        5⤵
        
        PID:2076
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im alertsvc.exe
        5⤵
        
        PID:1072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im alogserv.exe
        5⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im amon.exe
        5⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im amon9x.exe
        5⤵
        
        PID:1704
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im amonavp32.exe
        5⤵
        
        PID:1732
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im anti -trojan.exe
        5⤵
        Kills process with taskkill
        
        PID:2412
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im antivir.exe
        5⤵
        
        PID:2088
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im antivirus.exe
        5⤵
        
        PID:2448
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ants.exe
        5⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im antssircam.exe
        5⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im apimonitor.exe
        5⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im aplica32.exe
        5⤵
        
        PID:2552
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im apvxdwin.exe
        5⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im atcon.exe
        5⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im atguard.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ats.exe
        5⤵
        
        PID:2912
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im atscan.exe
        5⤵
        Kills process with taskkill
        
        PID:2772
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im atupdater.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im atwatch.exe
        5⤵
        
        PID:2664
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im autodown.exe
        5⤵
        
        PID:892
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im autotrace.exe
        5⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im autoupdate.exe
        5⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avconsol.exe
        5⤵
        
        PID:840
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ave32.exe
        5⤵
        
        PID:1508
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgcc32.exe
        5⤵
        
        PID:1332
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgctrl.exe
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgserv.exe
        5⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgserv9.exe
        5⤵
        
        PID:2944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgserv9schedapp.exe
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgw.exe
        5⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avkpop.exe
        5⤵
        
        PID:1500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avkserv.exe
        5⤵
        Kills process with taskkill
        
        PID:2488
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avkservice.exe
        5⤵
        Kills process with taskkill
        
        PID:1180
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avkwcl9.exe
        5⤵
        
        PID:1416
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avkwctl9.exe
        5⤵
        
        PID:884
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avnt.exe
        5⤵
        
        PID:1880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avp.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avp32.exe
        5⤵
        Kills process with taskkill
        
        PID:2372
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpcc.exe
        5⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im AVPCC Service.exe
        5⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpccavpm.exe
        5⤵
        
        PID:2272
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpdos32.exe
        5⤵
        
        PID:1300
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpexec.exe
        5⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpinst.exe
        5⤵
        Kills process with taskkill
        
        PID:296
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpm.exe
        5⤵
        
        PID:2288
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpmonitor.exe
        5⤵
        
        PID:916
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avptc.exe
        5⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avptc32.exe
        5⤵
        Kills process with taskkill
        
        PID:2756
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpupd.exe
        5⤵
        
        PID:3060
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpupdates.exe
        5⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avrescue.exe
        5⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avsched32.exe
        5⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avsynmgr.exe
        5⤵
        
        PID:2108
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avwin95.exe
        5⤵
        
        PID:804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avwinnt.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avwupd32.exe
        5⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxgui.exe
        5⤵
        
        PID:2448
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxinit.exe
        5⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxlive.exe
        5⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxmonitor9x.exe
        5⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxmonitornt.exe
        5⤵
        
        PID:2336
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxnews.exe
        5⤵
        
        PID:2012
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxquar.exe
        5⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxsch.exe
        5⤵
        
        PID:2900
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxw.exe
        5⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im BACKLOG.exe
        5⤵
        
        PID:1124
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bd_professional.exe
        5⤵
        
        PID:2976
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bidef.exe
        5⤵
        
        PID:2676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bidserver.exe
        5⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bipcp.exe
        5⤵
        
        PID:980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bisp.exe
        5⤵
        
        PID:2932
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im blackd.exe
        5⤵
        
        PID:1200
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im blackice.exe
        5⤵
        Kills process with taskkill
        
        PID:1684
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im blackiceblackd.exe
        5⤵
        Kills process with taskkill
        
        PID:2852
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im BootWarn.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:576
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im borg2.exe
        5⤵
        
        PID:2604
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bs120.exe
        5⤵
        Kills process with taskkill
        
        PID:2708
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bullguard.exe
        5⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccApp.exe
        5⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccevtmgr.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1860
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccIMScan.exe
        5⤵
        
        PID:2016
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccPwdSrc.exe
        5⤵
        
        PID:1148
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccpxysvc.exe
        5⤵
        
        PID:2260
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccSetMgr.exe
        5⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cdp.exe
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cfiadmin.exe
        5⤵
        
        PID:2360
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cfiaudit.exe
        5⤵
        
        PID:1204
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cfinet.exe
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cfinet32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im claw95.exe
        5⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im claw95cf.exe
        5⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im clean.exe
        5⤵
        
        PID:1144
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cleaner.exe
        5⤵
        
        PID:1552
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cleaner3.exe
        5⤵
        Kills process with taskkill
        
        PID:904
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cleanpc.exe
        5⤵
        
        PID:616
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cmgrdian.exe
        5⤵
        
        PID:3048
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cmon016.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1784
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im codered.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im connectionmonitor.exe
        5⤵
        
        PID:1172
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im conseal.exe
        5⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cpd.exe
        5⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cpf9x206.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ctrl.exe
        5⤵
        
        PID:888
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im defalert.exe
        5⤵
        
        PID:1720
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im defence.exe
        5⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im defense.exe
        5⤵
        
        PID:1584
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im defscangui.exe
        5⤵
        
        PID:2556
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im defwatch.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im deputy.exe
        5⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im doors.exe
        5⤵
        Kills process with taskkill
        
        PID:2956
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im dpf.exe
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im drwatson.exe
        5⤵
        
        PID:1348
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im drweb32.exe
        5⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im dvp95.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im dvp95_0.exe
        5⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ecengine.exe
        5⤵
        
        PID:2164
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im edisk.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im efpeadm.exe
        5⤵
        
        PID:2296
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im esafe.exe
        5⤵
        
        PID:1464
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im escanh95.exe
        5⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im escanhnt.exe
        5⤵
        
        PID:2972
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im escanv95.exe
        5⤵
        Kills process with taskkill
        
        PID:1332
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im espwatch.exe
        5⤵
        Kills process with taskkill
        
        PID:2820
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im etrustcipe.exe
        5⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im evpn.exe
        5⤵
        
        PID:3004
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im exantivirus -cnet.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fameh32.exe
        5⤵
        
        PID:2988
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fast.exe
        5⤵
        
        PID:2212
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fch32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fih32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im findviru.exe
        5⤵
        
        PID:1180
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im firewall.exe
        5⤵
        
        PID:1416
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fix-it.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im flowprotector.exe
        5⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fnrb32.exe
        5⤵
        Kills process with taskkill
        
        PID:2408
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fp -win.exe
        5⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fp -win_trial.exe
        5⤵
        
        PID:956
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fprot.exe
        5⤵
        
        PID:2504
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im frw.exe
        5⤵
        
        PID:1516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsaa.exe
        5⤵
        
        PID:1300
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsav32.exe
        5⤵
        
        PID:1816
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsav95.exe
        5⤵
        
        PID:2024
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsave32.exe
        5⤵
        
        PID:2364
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsgk32.exe
        5⤵
        
        PID:236
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsm32.exe
        5⤵
        
        PID:1376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsma32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsmb32.exe
        5⤵
        
        PID:2276
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fwenc.exe
        5⤵
        
        PID:2072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im gbmenu.exe
        5⤵
        
        PID:752
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im gbpoll.exe
        5⤵
        
        PID:1360
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im gedit.exe
        5⤵
        
        PID:1704
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im generics.exe
        5⤵
        
        PID:564
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im grief3878.exe
        5⤵
        
        PID:988
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im guard.exe
        5⤵
        
        PID:1588
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im guarddog.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im HackerEliminator.exe
        5⤵
        
        PID:2440
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iamapp.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iamserv.exe
        5⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iamstats.exe
        5⤵
        
        PID:2552
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ibmasn.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ibmavsp.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2628
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im icload95.exe
        5⤵
        
        PID:2580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im icloadnt.exe
        5⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im icmon.exe
        5⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im icsupp95.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im icsuppnt.exe
        5⤵
        
        PID:2676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iface.exe
        5⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ifw2000.exe
        5⤵
        
        PID:2028
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im inoculateit.exe
        5⤵
        
        PID:2868
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iomon98.exe
        5⤵
        
        PID:1200
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iparmor.exe
        5⤵
        Kills process with taskkill
        
        PID:2352
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iris.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im isrv95.exe
        5⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im jammer.exe
        5⤵
        
        PID:1664
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im jedi.exe
        5⤵
        Kills process with taskkill
        
        PID:2944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im kavpf.exe
        5⤵
        
        PID:3016
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ldnetmon.exe
        5⤵
        
        PID:2988
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ldpromenu.exe
        5⤵
        
        PID:2212
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ldscan.exe
        5⤵
        
        PID:1500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im localnet.exe
        5⤵
        
        PID:2488
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im lockdown.exe
        5⤵
        
        PID:1180
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im lookout.exe
        5⤵
        
        PID:1416
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im luall.exe
        5⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im lucomserver.exe
        5⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im luspt.exe
        5⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcafee.exe
        5⤵
        
        PID:292
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcagent.exe
        5⤵
        
        PID:856
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcmnhdlr.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2128
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcshield.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:316
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcshieldvvstat.exe
        5⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mctool.exe
        5⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcupdate.exe
        5⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcvsrte.exe
        5⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcvsshld.exe
        5⤵
        
        PID:3060
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mgavrtcl.exe
        5⤵
        
        PID:380
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mgavrte.exe
        5⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mghtml.exe
        5⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mgui.exe
        5⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im minilog.exe
        5⤵
        Kills process with taskkill
        
        PID:1732
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mon.exe
        5⤵
        
        PID:2160
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im monitor.exe
        5⤵
        
        PID:2080
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im monsys32.exe
        5⤵
        
        PID:2328
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im monsysnt.exe
        5⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im moolive.exe
        5⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpfservice.exe
        5⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpftray.exe
        5⤵
        
        PID:1472
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mrflux.exe
        5⤵
        
        PID:2012
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im msinfo32.exe
        5⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mwatch.exe
        5⤵
        
        PID:2900
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mxtask.exe
        5⤵
        
        PID:1348
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im n32scanw.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nav.exe
        5⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im NAV DefAlert.exe
        5⤵
        
        PID:2792
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nav32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navalert.exe
        5⤵
        
        PID:2676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navap.exe
        5⤵
        
        PID:2332
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navapsvc.exe
        5⤵
        
        PID:2028
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im NAVAPW32.exe
        5⤵
        
        PID:2868
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navauto -protect.exe
        5⤵
        
        PID:1200
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navdx.exe
        5⤵
        Kills process with taskkill
        
        PID:2236
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navengnavex15.exe
        5⤵
        
        PID:2980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navlu32.exe
        5⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navnt.exe
        5⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navrunr.exe
        5⤵
        
        PID:2680
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navstub.exe
        5⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navw32.exe
        5⤵
        
        PID:800
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Navwnt.exe
        5⤵
        
        PID:2264
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nc2000.exe
        5⤵
        Kills process with taskkill
        
        PID:2200
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ndd32.exe
        5⤵
        
        PID:1912
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im neomonitor.exe
        5⤵
        
        PID:884
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im neowatchlog.exe
        5⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im net2000.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:340
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netarmor.exe
        5⤵
        
        PID:2372
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netcommando.exe
        5⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netinfo.exe
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netmon.exe
        5⤵
        Kills process with taskkill
        
        PID:1696
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netpro.exe
        5⤵
        Kills process with taskkill
        
        PID:1088
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netprotect.exe
        5⤵
        Kills process with taskkill
        
        PID:836
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netscanpro.exe
        5⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netspyhunter -1.2.exe
        5⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netstat.exe
        5⤵
        
        PID:1644
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netutils.exe
        5⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netutils].exe
        5⤵
        
        PID:596
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nimda.exe
        5⤵
        Kills process with taskkill
        
        PID:1656
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nisserv.exe
        5⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nisum.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nisumnisservnisum.exe
        5⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nmain.exe
        5⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nod32.exe
        5⤵
        
        PID:2388
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norman.exe
        5⤵
        
        PID:2196
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norman_32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norman_av.exe
        5⤵
        
        PID:2208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norman32.exe
        5⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im normanav.exe
        5⤵
        
        PID:1952
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im normist.exe
        5⤵
        
        PID:2556
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norton.exe
        5⤵
        
        PID:2484
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Norton Auto-Protect.exe
        5⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norton_av.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2924
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nortonav.exe
        5⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im notstart.exe
        5⤵
        
        PID:2900
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im npfmessenger.exe
        5⤵
        
        PID:1348
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im npfw.exe
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im npfw32.exe
        5⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nprotect.exe
        5⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im npscheck.exe
        5⤵
        
        PID:980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im npssvc.exe
        5⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nresq32.exe
        5⤵
        
        PID:1464
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nsched32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nschednt.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1332
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nsplugin.exe
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ntrtscan.exe
        5⤵
        
        PID:2844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ntvdm.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ntxconfig.exe
        5⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nui.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nupgrade.exe
        5⤵
        
        PID:1860
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nvarch16.exe
        5⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nvc95.exe
        5⤵
        
        PID:1148
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nvsvc32.exe
        5⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nwservice.exe
        5⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nwtool16.exe
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im offguard.exe
        5⤵
        
        PID:708
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im OPScan.exe
        5⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ostronet.exe
        5⤵
        
        PID:2504
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im outpost.exe
        5⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im padmin.exe
        5⤵
        
        PID:2016
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im panda.exe
        5⤵
        Kills process with taskkill
        
        PID:1816
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pandaav.exe
        5⤵
        Kills process with taskkill
        
        PID:316
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im panixk.exe
        5⤵
        
        PID:2364
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pav.exe
        5⤵
        
        PID:1552
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pavcl.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:912
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pavproxy.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pavsched.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:952
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pavw.exe
        5⤵
        
        PID:1784
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pc -cillan.exe
        5⤵
        
        PID:2072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pc -cillin.exe
        5⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pccclient.exe
        5⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pccguide.exe
        5⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pcciomon.exe
        5⤵
        Kills process with taskkill
        
        PID:1724
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pccntmon.exe
        5⤵
        Kills process with taskkill
        
        PID:1732
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pccwin97.exe
        5⤵
        
        PID:2248
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pccwin98.exe
        5⤵
        
        PID:2080
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pcfwallicon.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pcscan.exe
        5⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im periscope.exe
        5⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im persfw.exe
        5⤵
        Kills process with taskkill
        
        PID:2948
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pf2.exe
        5⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pfwadmin.exe
        5⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pingscan.exe
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im platin.exe
        5⤵
        
        PID:580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pop3trap.exe
        5⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im poproxy.exe
        5⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im portdetective.exe
        5⤵
        
        PID:1896
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im portmonitor.exe
        5⤵
        
        PID:2664
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ppinupdt.exe
        5⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pptbc.exe
        5⤵
        Kills process with taskkill
        
        PID:2500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ppvstop.exe
        5⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im processmonitor.exe
        5⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im procexplorerv10#.exe
        5⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im programauditor.exe
        5⤵
        
        PID:692
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im proport.exe
        5⤵
        
        PID:1992
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im protectx.exe
        5⤵
        
        PID:872
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pspf.exe
        5⤵
        Kills process with taskkill
        
        PID:2836
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im purge.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pview95.exe
        5⤵
        
        PID:768
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pw32.exe
        5⤵
        
        PID:2132
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im qconsole.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rav.exe
        5⤵
        
        PID:2260
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rav7.exe
        5⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rav7win.exe
        5⤵
        
        PID:1416
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im realmon.exe
        5⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regrun2.exe
        5⤵
        
        PID:2596
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rescue.exe
        5⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rrguard.exe
        5⤵
        Kills process with taskkill
        
        PID:1516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rshell.exe
        5⤵
        
        PID:856
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rtvscn95.exe
        5⤵
        
        PID:2344
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rulaunch.exe
        5⤵
        
        PID:276
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im safeweb.exe
        5⤵
        Kills process with taskkill
        
        PID:1876
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im SAVscan.exe
        5⤵
        
        PID:904
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sbserv.exe
        5⤵
        
        PID:1376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im SBservice.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im scan.exe
        5⤵
        
        PID:596
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im scan32.exe
        5⤵
        
        PID:1000
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im scan95.exe
        5⤵
        
        PID:2072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im scanpm.exe
        5⤵
        
        PID:1692
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im scrscan.exe
        5⤵
        
        PID:772
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sd.exe
        5⤵
        
        PID:2108
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im SENS.exe
        5⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im serv95.exe
        5⤵
        
        PID:1708
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sfc.exe
        5⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sh.exe
        5⤵
        
        PID:2168
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sharedaccess.exe
        5⤵
        
        PID:2592
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im shn.exe
        5⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im smc.exe
        5⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sofi.exe
        5⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sophos.exe
        5⤵
        
        PID:888
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sophos_av.exe
        5⤵
        Kills process with taskkill
        
        PID:3000
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sophosav.exe
        5⤵
        
        PID:2900
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spf.exe
        5⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sphinx.exe
        5⤵
        
        PID:848
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spy.exe
        5⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spygate.exe
        5⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spyx.exe
        5⤵
        
        PID:2932
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spyxx.exe
        5⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im srwatch.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ss3edit.exe
        5⤵
        Kills process with taskkill
        
        PID:2972
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im st2.exe
        5⤵
        
        PID:1332
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im supftrl.exe
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im supp95.exe
        5⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im supporter5.exe
        5⤵
        
        PID:1288
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sweep95.exe
        5⤵
        
        PID:1808
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sweepnet.exe
        5⤵
        
        PID:800
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sweepsrv.sys.exe
        5⤵
        Kills process with taskkill
        
        PID:1860
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sweepsrv.sysvshwin32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im swnetsup.exe
        5⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im symantec.exe
        5⤵
        
        PID:1940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Symantec Core LC.exe
        5⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im symlcsvc.exe
        5⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im symproxysvc.exe
        5⤵
        
        PID:1880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im symtray.exe
        5⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sysedit.exe
        5⤵
        
        PID:3068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmon.exe
        5⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taumon.exe
        5⤵
        
        PID:304
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tauscan.exe
        5⤵
        Kills process with taskkill
        
        PID:1292
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tbscan.exe
        5⤵
        
        PID:1660
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tcm.exe
        5⤵
        
        PID:296
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tctca.exe
        5⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tds -3.exe
        5⤵
        
        PID:904
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tds2 -98.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:912
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tds2 -nt.exe
        5⤵
        Kills process with taskkill
        
        PID:2356
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tfak.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2276
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tfak5.exe
        5⤵
        
        PID:1224
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tgbob.exe
        5⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im trendmicro.exe
        5⤵
        
        PID:1360
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im trjscan.exe
        5⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im trojantrap3.exe
        5⤵
        Kills process with taskkill
        
        PID:1688
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im TrueVector.exe
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im undoboot.exe
        5⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im update.exe
        5⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vbcmserv.exe
        5⤵
        
        PID:1584
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vbcons.exe
        5⤵
        
        PID:2316
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vbust.exe
        5⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vbwin9x.exe
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vbwinntw.exe
        5⤵
        Kills process with taskkill
        
        PID:3044
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vccmserv.exe
        5⤵
        Kills process with taskkill
        
        PID:2768
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vcontrol.exe
        5⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vet32.exe
        5⤵
        
        PID:2788
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vet95.exe
        5⤵
        
        PID:580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vettray.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vir -help.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im virus.exe
        5⤵
        
        PID:560
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im virusmdpersonalfirewall.exe
        5⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vnlan300.exe
        5⤵
        
        PID:1044
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vnpc3000.exe
        5⤵
        
        PID:2296
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vpc32.exe
        5⤵
        
        PID:2332
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vpfw30s.exe
        5⤵
        
        PID:2648
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vptray.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vscan40.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vsched.exe
        5⤵
        Kills process with taskkill
        
        PID:1988
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vsecomr.exe
        5⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vshwin32.exe
        5⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vshwin32vbcmserv.exe
        5⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vsmain.exe
        5⤵
        
        PID:2008
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vsmon.exe
        5⤵
        
        PID:1436
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vsstat.exe
        5⤵
        
        PID:2212
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vswin9xe.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vswinntse.exe
        5⤵
        
        PID:2488
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im w9x.exe
        5⤵
        
        PID:2152
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im watchdog.exe
        5⤵
        
        PID:2680
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im webscanx.exe
        5⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im webtrap.exe
        5⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wfindv32.exe
        5⤵
        
        PID:1672
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wgfe95.exe
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im whoswatchingme.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wimmun32.exe
        5⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im winrecon.exe
        5⤵
        
        PID:2288
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im winroute.exe
        5⤵
        
        PID:1528
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im winsfcm.exe
        5⤵
        
        PID:904
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wnt.exe
        5⤵
        
        PID:2060
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wqkmm3878.exe
        5⤵
        
        PID:380
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wradmin.exe
        5⤵
        
        PID:1636
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wrctrl.exe
        5⤵
        Kills process with taskkill
        
        PID:2088
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wsbgate.exe
        5⤵
        
        PID:880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wyvernworksfirewall.exe
        5⤵
        
        PID:772
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im zapro.exe
        5⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im zatutor.exe
        5⤵
        Kills process with taskkill
        
        PID:1704
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im zauinst.exe
        5⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im zonealarm.exe
        5⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kill /t REG_SZ /d c:\windows\Install.exe
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\3201977.exe
      "C:\Users\Admin\AppData\Local\Temp\3201977.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:580
    - - C:\Windows\SysWOW64\NIH.exe
        
        "C:\Windows\system32\NIH.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\3754476.exe
      "C:\Users\Admin\AppData\Local\Temp\3754476.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3754476.exe

Filesize
200KB

MD5
f5a8ec3c56be04678397908aced5f710

SHA1
3239460de2318ece427cd904a829808dce9b66ea

SHA256
9d068118cdb665746cf2e025214c3df3450a4a19f6592769c8a0abe20cf7227d

SHA512
2b4d6c24036c47e75ac34720043328d23927bf5b9b9e6decd0b380236925350a6240111c361cf1973a1a4400721c769518d76d3b80bed31b6f44cb188c75a090

Download Submit
C:\Users\Admin\AppData\Local\Temp\8703729.bat

Filesize
17KB

MD5
215d9acf1b4a99f61e49e79a8e083b74

SHA1
160fdf869acc0b497ab3fbceed4344537aa9d525

SHA256
be5ab46d10727b05f162cd2d65073bbb89c3cf7ceaab7d995736e7341dc7c307

SHA512
02e2d4829028000123a8436dc15c1a455a6480d5138f43a0e480f0fa5eedabd55a9796f92b92d800c052282b566f5707c88fb2567c2646aba077feb6f1bdeb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt6818.bat

Filesize
18B

MD5
c05407967c329e698a912d4bee44be62

SHA1
ba81f0b1f2dfdb71c30d580987f5d7ceb0b9b2de

SHA256
85c2e828e759f9f7495cb85a2aa4e360670ea43551486dafe2ff1cda77b067a4

SHA512
0402d2273ca0755423b5fd3c92ce0d89e1238a54a88d8f2df56cdcab9077026af88ac1abe6bbb8c0df8e2ff5883cef521afab4fda99967254e911dfcb41e897e

Download Submit
C:\Windows\SysWOW64\NIH.001

Filesize
2KB

MD5
0230f432bc8e345d53965fce1fc78a5d

SHA1
fa2e5cc7e7ce41c73e7bdb2e7c354a3fe3ef2a2a

SHA256
8a1b706aa5dde542e6dcbe562a4d37513779f8c9b32ee17e040d232b594c9b4f

SHA512
0c6044b85424994e7130ff8d4b5ed0c2ffde827e28bc63068957a0719cf651bcfabae9c0d250e8c24f6d32fa81ff88d8388e39f6ba6251e0ac67984983609615

Download Submit
C:\Windows\SysWOW64\NIH.006

Filesize
5KB

MD5
e98ae645054f00269eaad44b95c4e37c

SHA1
59bcfb291cb15f521e6e5982c12913052b5755b1

SHA256
028e4ef0ed6a7d9792ad2694c56b41ba247e72ef690089142c47bb6e1a693221

SHA512
ae4b1316c9785623944a0bc1884648f1382f3f8fb494927e7c872a72b0786fb5a1d090ebc2d5e468b91c8eef7663b43f73be4a1f65f7d8dd9bdaa6dfc694a35e

Download Submit
C:\Windows\SysWOW64\NIH.007

Filesize
4KB

MD5
ea32497496dd6b80be1c47fe5fac1fcf

SHA1
2bf9bee8e0f83b6785188a91047695ebcdf342da

SHA256
370a94fec91220668a370c2dcd0d2ac10c3f0a1d1befc7fee50db6f5e0b99676

SHA512
353d11071b695fe23080bc6d5cb5dc557b59b152b42921daec6f4124f9e8bb58555ac30c5ec96dae31871ff3d2416e91690b5f862d4feb5e7b038a996c8a1ff3

Download Submit
C:\Windows\SysWOW64\NIH.exe

Filesize
295KB

MD5
decf3769c920a9b642f56e24933cdf81

SHA1
930ddaf6b310fa2b3569580ff671e91d80b8b11b

SHA256
46a451f14816a0dc46d392158d1507f5806fe76e9fc9f0080d00d0b3dd26183b

SHA512
2807345e5ae0438c0bd41c3d0b6b09e3d1c04d0397e5e990d614125a14b6100de3c3f5bebab168f5654d6823eef5dbfd5a878aa0de64eec13bb546c8c32b8cb2

Download Submit
\Users\Admin\AppData\Local\Temp\3201977.exe

Filesize
202KB

MD5
9268d5734eeba88a56547bc5d7f6034a

SHA1
66e053262d241698f2c611203fd1697f8837d806

SHA256
bcdd8253acad7e3c700c5731562757bbb6bf2ab1cdc6b017f7eeb2f9d08b1c1e

SHA512
8a6fd5938c8a5f3ba8bc1a8c5a14148a1ed351c6d2b9f2365d686045cb8a8309cec87ff036fd67d970fabaf002a186033924782a807e0598c7967d692f5eb29e

Download Submit
\Users\Admin\AppData\Local\Temp\@C449.tmp

Filesize
4KB

MD5
3e52aef4a9e1bbf25dc611e0f5c45934

SHA1
91862bee5ac57eb719cf9bc14c69f9ef5affcbbf

SHA256
1b881b4299a8555f785088bd0e1b6969e76dc470f1f67429678a678c5f8b349d

SHA512
e4bc9fab4d1c555a896936927ff5866634885401a41f2eade5a976311dad3cdc40c0c7229c61925a8b32ae7b69c4c99537dc10baf292375a82a885a7a908a807

Download Submit
\Users\Admin\AppData\Local\Temp\teste3.exe

Filesize
863KB

MD5
35c340b45a3af572e48854e7ad0b177d

SHA1
0a36360c24cb7cf31c95e9f908f7d16cd126e04f

SHA256
2ccd3429ccb40be59497993dfd1fa7f02ffcf9c76b7fa66bc2829a9885234ad8

SHA512
ccaa6b5b534f81258bf458280cf9185a8519366ecc63b2a4db373d174a54fa7394d3747c2ec999918272f0cd4076cfd8c51825a4b504feec62d233dca425a8ad

Download Submit
memory/2164-57-0x0000000000670000-0x00000000006F4000-memory.dmp

Filesize
528KB

Download
memory/2164-56-0x0000000000670000-0x00000000006F4000-memory.dmp

Filesize
528KB

Download
memory/2512-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2804-66-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-91-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-68-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-69-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-70-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-71-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-87-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-58-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-92-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-93-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-94-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-95-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-96-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-97-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2804-98-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads