ardamax | e36d1b390e6fd37dfa4dd0bab62322eba92b98a4d1be41e1918c91d5f6250dec

Analysis

max time kernel
146s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe
Size

606KB
MD5

79fff9307d2080c9af29ca8d28f7ec47
SHA1

bb9fe640102bd3eba7956073180d7ff16e8755cf
SHA256

e36d1b390e6fd37dfa4dd0bab62322eba92b98a4d1be41e1918c91d5f6250dec
SHA512

a5c0808ccb685cc8342129249461e6dfb97b23ec4e6464c0d71c3529fabaca812fcc64f5de829aad8e2b5a7b50628c68fc61e358e7c0ccd5b22aac712814408e
SSDEEP

12288:whaCEJNB7YpOgynhbTU3eS9B6gDpdImyxR5LmTofnP5BVENGWAKe:wwCINBMph4hnUuSfpdC5gofnPxEp+

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\NIH.exe	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

teste3.exe3357312.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	teste3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	3357312.exe

Executes dropped EXE 4 IoCs

Processes:

teste3.exe3357312.exeNIH.exe7350972.exe

pid process

3952 teste3.exe
2052 3357312.exe
4216 NIH.exe
868 7350972.exe
Loads dropped DLL 6 IoCs

Processes:

3357312.exeNIH.exe7350972.execmd.exe

pid process

2052 3357312.exe
4216 NIH.exe
4216 NIH.exe
4216 NIH.exe
868 7350972.exe
2744 cmd.exe

pid	process
3952	teste3.exe
2052	3357312.exe
4216	NIH.exe
868	7350972.exe

pid	process
2052	3357312.exe
4216	NIH.exe
4216	NIH.exe
4216	NIH.exe
868	7350972.exe
2744	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kill = "c:\\windows\\Install.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

3357312.exe

description	ioc	process
File created	C:\Windows\SysWOW64\NIH.001	3357312.exe
File created	C:\Windows\SysWOW64\NIH.006	3357312.exe
File created	C:\Windows\SysWOW64\NIH.007	3357312.exe
File created	C:\Windows\SysWOW64\NIH.exe	3357312.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7350972.exe	upx
behavioral2/memory/868-48-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-57-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-58-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-59-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-60-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-61-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-62-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-63-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-64-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-65-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-66-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-68-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-69-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-70-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/868-71-0x0000000000400000-0x0000000000484000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

Processes:

NIH.exe

description ioc process

File opened for modification C:\Windows\SysWOW64 NIH.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64	NIH.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

pid	process
4868	taskkill.exe
3544	taskkill.exe
3232	taskkill.exe
1500	taskkill.exe
4304	taskkill.exe
4248	taskkill.exe
4892	taskkill.exe
4744	taskkill.exe
1608	taskkill.exe
4772	taskkill.exe
3428	taskkill.exe
1428	taskkill.exe
4676	taskkill.exe
1256	taskkill.exe
2324	taskkill.exe
1228	taskkill.exe
940	taskkill.exe
3888	taskkill.exe
4940	taskkill.exe
1436	taskkill.exe
2704	taskkill.exe
2544	taskkill.exe
4480	taskkill.exe
3420	taskkill.exe
1696	taskkill.exe
2008	taskkill.exe
2004	taskkill.exe
1056	taskkill.exe
2400	taskkill.exe
1428	taskkill.exe
1824	taskkill.exe
392	taskkill.exe
516	taskkill.exe
3620	taskkill.exe
3548	taskkill.exe
2084	taskkill.exe
3772	taskkill.exe
4624	taskkill.exe
456	taskkill.exe
1676	taskkill.exe
4332	taskkill.exe
5084	taskkill.exe
2400	taskkill.exe
4392	taskkill.exe
4352	taskkill.exe
4176	taskkill.exe
1684	taskkill.exe
4940	taskkill.exe
3200	taskkill.exe
3688	taskkill.exe
2928	taskkill.exe
3116	taskkill.exe
4176	taskkill.exe
940	taskkill.exe
4612	taskkill.exe
4840	taskkill.exe
8	taskkill.exe
5028	taskkill.exe
1576	taskkill.exe
2780	taskkill.exe
4584	taskkill.exe
432	taskkill.exe
2896	taskkill.exe
3792	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3360 reg.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7350972.exe

pid process

868 7350972.exe

pid	process
3360	reg.exe

pid	process
868	7350972.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeNIH.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4948	taskkill.exe
Token: 33	4216	NIH.exe
Token: SeIncBasePriorityPrivilege	4216	NIH.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	516	taskkill.exe
Token: SeDebugPrivilege	3232	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	3208	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	4360	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	3288	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	4700	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	464	taskkill.exe
Token: SeDebugPrivilege	3120	taskkill.exe
Token: SeDebugPrivilege	4108	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	3208	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

teste3.exeNIH.exe

pid process

3952 teste3.exe
4216 NIH.exe
4216 NIH.exe
4216 NIH.exe
4216 NIH.exe

pid	process
3952	teste3.exe
4216	NIH.exe
4216	NIH.exe
4216	NIH.exe
4216	NIH.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.execmd.exeteste3.execmd.exe3357312.exe

description	pid	process	target process
PID 4468 wrote to memory of 3440	4468	79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe	cmd.exe
PID 4468 wrote to memory of 3440	4468	79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe	cmd.exe
PID 4468 wrote to memory of 3440	4468	79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe	cmd.exe
PID 3440 wrote to memory of 3952	3440	cmd.exe	teste3.exe
PID 3440 wrote to memory of 3952	3440	cmd.exe	teste3.exe
PID 3440 wrote to memory of 3952	3440	cmd.exe	teste3.exe
PID 3952 wrote to memory of 2744	3952	teste3.exe	cmd.exe
PID 3952 wrote to memory of 2744	3952	teste3.exe	cmd.exe
PID 3952 wrote to memory of 2744	3952	teste3.exe	cmd.exe
PID 2744 wrote to memory of 4948	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 4948	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 4948	2744	cmd.exe	taskkill.exe
PID 3952 wrote to memory of 2052	3952	teste3.exe	3357312.exe
PID 3952 wrote to memory of 2052	3952	teste3.exe	3357312.exe
PID 3952 wrote to memory of 2052	3952	teste3.exe	3357312.exe
PID 2052 wrote to memory of 4216	2052	3357312.exe	NIH.exe
PID 2052 wrote to memory of 4216	2052	3357312.exe	NIH.exe
PID 2052 wrote to memory of 4216	2052	3357312.exe	NIH.exe
PID 3952 wrote to memory of 868	3952	teste3.exe	7350972.exe
PID 3952 wrote to memory of 868	3952	teste3.exe	7350972.exe
PID 3952 wrote to memory of 868	3952	teste3.exe	7350972.exe
PID 2744 wrote to memory of 1328	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1328	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1328	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 924	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 924	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 924	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 3696	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 3696	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 3696	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 3628	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 3628	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 3628	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1804	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1804	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1804	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 516	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 516	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 516	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 3232	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 3232	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 3232	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 2940	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 2940	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 2940	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 4824	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 4824	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 4824	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1152	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1152	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1152	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1428	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1428	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1428	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 3208	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 3208	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 3208	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1576	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1576	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1576	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1604	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1604	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1604	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 4388	2744	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79fff9307d2080c9af29ca8d28f7ec47_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt0222.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\teste3.exe
    teste3.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\422785.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nod32krn.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nod32.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im kav.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im kavmm.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgemc.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgcc.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgamsvr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgupsvc.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgw.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ashwebsv.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ashdisp.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ashmaisv.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ashserv.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ashwebsv.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im aswupdsv.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ewidoctrl.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im guard.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im gcasdtserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im msmpeng.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcafee.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mghml.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im msiexec.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im outpost.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im isafe.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im minilog.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im zonealarm.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im zlclient.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im updclient.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccapp.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navw32.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norton.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navapsvc.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccsetmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cccproxy.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccapp.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccevtmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im npfmntor.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im logexprt.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nisum.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im issvc.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cpdclnt.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pavprsrv.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pavprot.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avengine.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im apvxdwin.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im webproxy.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avguard.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgnt.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im shed.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avsched32.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sccomm.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spiderml.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sgmain.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spywareguard.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im kpf4gui.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im kpf4ss.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcdash.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcdetect.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcregwiz.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcinfo.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mghtml.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im oasclnt.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpfagent.exe
        5⤵
        
        PID:3948
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpfconsole.exe
        5⤵
        
        PID:4316
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpfservice.exe
        5⤵
        
        PID:4588
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpftray.exe
        5⤵
        
        PID:2388
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpfwizard.exe
        5⤵
        Kills process with taskkill
        
        PID:2008
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mvtx.exe
        5⤵
        
        PID:3236
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im _avp32.exe
        5⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im _avpcc.exe
        5⤵
        
        PID:4816
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im _avpm.exe
        5⤵
        
        PID:920
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ackwin32.exe
        5⤵
        
        PID:676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im advxdwin.exe
        5⤵
        
        PID:1268
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im agentsvr.exe
        5⤵
        
        PID:664
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im agv.exe
        5⤵
        Kills process with taskkill
        
        PID:4332
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ahnsd.exe
        5⤵
        Kills process with taskkill
        
        PID:940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im alertsvc.exe
        5⤵
        Kills process with taskkill
        
        PID:3772
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im alogserv.exe
        5⤵
        Kills process with taskkill
        
        PID:3116
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im amon.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4744
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im amon9x.exe
        5⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im amonavp32.exe
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im anti -trojan.exe
        5⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im antivir.exe
        5⤵
        
        PID:3356
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im antivirus.exe
        5⤵
        
        PID:1104
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ants.exe
        5⤵
        
        PID:4760
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im antssircam.exe
        5⤵
        
        PID:3208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im apimonitor.exe
        5⤵
        Kills process with taskkill
        
        PID:1576
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im aplica32.exe
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im apvxdwin.exe
        5⤵
        
        PID:1788
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im atcon.exe
        5⤵
        
        PID:3420
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im atguard.exe
        5⤵
        
        PID:3688
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ats.exe
        5⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im atscan.exe
        5⤵
        
        PID:1008
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im atupdater.exe
        5⤵
        
        PID:2788
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im atwatch.exe
        5⤵
        
        PID:3620
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im autodown.exe
        5⤵
        Kills process with taskkill
        
        PID:4176
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im autotrace.exe
        5⤵
        
        PID:1436
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im autoupdate.exe
        5⤵
        
        PID:4804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avconsol.exe
        5⤵
        
        PID:1472
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ave32.exe
        5⤵
        
        PID:3220
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgcc32.exe
        5⤵
        
        PID:4880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgctrl.exe
        5⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgserv.exe
        5⤵
        
        PID:3852
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgserv9.exe
        5⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgserv9schedapp.exe
        5⤵
        
        PID:3120
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avgw.exe
        5⤵
        
        PID:3096
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avkpop.exe
        5⤵
        
        PID:1704
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avkserv.exe
        5⤵
        
        PID:1020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avkservice.exe
        5⤵
        
        PID:3928
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avkwcl9.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avkwctl9.exe
        5⤵
        Kills process with taskkill
        
        PID:2400
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avnt.exe
        5⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avp.exe
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avp32.exe
        5⤵
        
        PID:1600
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpcc.exe
        5⤵
        
        PID:744
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im AVPCC Service.exe
        5⤵
        
        PID:4240
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpccavpm.exe
        5⤵
        
        PID:4476
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpdos32.exe
        5⤵
        Kills process with taskkill
        
        PID:4392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpexec.exe
        5⤵
        
        PID:4744
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpinst.exe
        5⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpm.exe
        5⤵
        Kills process with taskkill
        
        PID:3544
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpmonitor.exe
        5⤵
        
        PID:2088
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avptc.exe
        5⤵
        
        PID:3548
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avptc32.exe
        5⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpupd.exe
        5⤵
        
        PID:1048
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avpupdates.exe
        5⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avrescue.exe
        5⤵
        
        PID:2172
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avsched32.exe
        5⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avsynmgr.exe
        5⤵
        
        PID:3136
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avwin95.exe
        5⤵
        
        PID:4352
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avwinnt.exe
        5⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avwupd32.exe
        5⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxgui.exe
        5⤵
        
        PID:1008
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxinit.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxlive.exe
        5⤵
        Kills process with taskkill
        
        PID:4176
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxmonitor9x.exe
        5⤵
        
        PID:3932
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxmonitornt.exe
        5⤵
        Kills process with taskkill
        
        PID:2896
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxnews.exe
        5⤵
        
        PID:3148
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxquar.exe
        5⤵
        
        PID:2704
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxsch.exe
        5⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im avxw.exe
        5⤵
        
        PID:3852
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im BACKLOG.exe
        5⤵
        Kills process with taskkill
        
        PID:1608
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bd_professional.exe
        5⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bidef.exe
        5⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bidserver.exe
        5⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bipcp.exe
        5⤵
        
        PID:4288
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bisp.exe
        5⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im blackd.exe
        5⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im blackice.exe
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im blackiceblackd.exe
        5⤵
        
        PID:1952
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im BootWarn.exe
        5⤵
        
        PID:4180
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im borg2.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bs120.exe
        5⤵
        Kills process with taskkill
        
        PID:3232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im bullguard.exe
        5⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccApp.exe
        5⤵
        
        PID:3920
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccevtmgr.exe
        5⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccIMScan.exe
        5⤵
        
        PID:3544
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccPwdSrc.exe
        5⤵
        
        PID:2088
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccpxysvc.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ccSetMgr.exe
        5⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cdp.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cfiadmin.exe
        5⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cfiaudit.exe
        5⤵
        
        PID:2172
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cfinet.exe
        5⤵
        
        PID:4220
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cfinet32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im claw95.exe
        5⤵
        
        PID:4352
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im claw95cf.exe
        5⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im clean.exe
        5⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cleaner.exe
        5⤵
        Kills process with taskkill
        
        PID:2324
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cleaner3.exe
        5⤵
        Kills process with taskkill
        
        PID:4624
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cleanpc.exe
        5⤵
        
        PID:2232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cmgrdian.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cmon016.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im codered.exe
        5⤵
        
        PID:3268
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im connectionmonitor.exe
        5⤵
        
        PID:4312
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im conseal.exe
        5⤵
        
        PID:4892
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cpd.exe
        5⤵
        
        PID:4968
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im cpf9x206.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:920
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ctrl.exe
        5⤵
        
        PID:4040
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im defalert.exe
        5⤵
        
        PID:8
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im defence.exe
        5⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im defense.exe
        5⤵
        Kills process with taskkill
        
        PID:5084
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im defscangui.exe
        5⤵
        Kills process with taskkill
        
        PID:3620
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im defwatch.exe
        5⤵
        
        PID:4456
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im deputy.exe
        5⤵
        
        PID:940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im doors.exe
        5⤵
        Kills process with taskkill
        
        PID:3792
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im dpf.exe
        5⤵
        
        PID:3224
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im drwatson.exe
        5⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im drweb32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im dvp95.exe
        5⤵
        Kills process with taskkill
        
        PID:1500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im dvp95_0.exe
        5⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ecengine.exe
        5⤵
        Kills process with taskkill
        
        PID:4772
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im edisk.exe
        5⤵
        
        PID:4364
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im efpeadm.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im esafe.exe
        5⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im escanh95.exe
        5⤵
        
        PID:4828
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im escanhnt.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im escanv95.exe
        5⤵
        
        PID:760
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im espwatch.exe
        5⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im etrustcipe.exe
        5⤵
        
        PID:3888
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im evpn.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:3428
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im exantivirus -cnet.exe
        5⤵
        
        PID:3128
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fameh32.exe
        5⤵
        
        PID:432
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fast.exe
        5⤵
        
        PID:3412
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fch32.exe
        5⤵
        
        PID:3844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fih32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im findviru.exe
        5⤵
        
        PID:2324
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im firewall.exe
        5⤵
        
        PID:4624
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fix-it.exe
        5⤵
        
        PID:2232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im flowprotector.exe
        5⤵
        
        PID:5000
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fnrb32.exe
        5⤵
        
        PID:2372
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fp -win.exe
        5⤵
        
        PID:4672
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fp -win_trial.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fprot.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im frw.exe
        5⤵
        
        PID:4556
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsaa.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsav32.exe
        5⤵
        
        PID:464
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsav95.exe
        5⤵
        
        PID:676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsave32.exe
        5⤵
        
        PID:244
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsgk32.exe
        5⤵
        
        PID:4032
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsm32.exe
        5⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsma32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fsmb32.exe
        5⤵
        
        PID:456
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im fwenc.exe
        5⤵
        
        PID:3772
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im gbmenu.exe
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im gbpoll.exe
        5⤵
        Kills process with taskkill
        
        PID:4840
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im gedit.exe
        5⤵
        
        PID:4180
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im generics.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im grief3878.exe
        5⤵
        
        PID:4472
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im guard.exe
        5⤵
        
        PID:376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im guarddog.exe
        5⤵
        
        PID:4072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im HackerEliminator.exe
        5⤵
        
        PID:3356
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iamapp.exe
        5⤵
        
        PID:1104
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iamserv.exe
        5⤵
        Kills process with taskkill
        
        PID:1428
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iamstats.exe
        5⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ibmasn.exe
        5⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ibmavsp.exe
        5⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im icload95.exe
        5⤵
        
        PID:4828
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im icloadnt.exe
        5⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im icmon.exe
        5⤵
        
        PID:1048
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im icsupp95.exe
        5⤵
        
        PID:400
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im icsuppnt.exe
        5⤵
        Kills process with taskkill
        
        PID:3888
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iface.exe
        5⤵
        
        PID:3428
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ifw2000.exe
        5⤵
        
        PID:2072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im inoculateit.exe
        5⤵
        
        PID:1056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iomon98.exe
        5⤵
        
        PID:3908
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iparmor.exe
        5⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iris.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im isrv95.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3276
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im jammer.exe
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im jedi.exe
        5⤵
        
        PID:3132
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im kavpf.exe
        5⤵
        
        PID:2932
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ldnetmon.exe
        5⤵
        
        PID:4548
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ldpromenu.exe
        5⤵
        
        PID:4668
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ldscan.exe
        5⤵
        
        PID:4028
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im localnet.exe
        5⤵
        
        PID:4556
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im lockdown.exe
        5⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im lookout.exe
        5⤵
        
        PID:464
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im luall.exe
        5⤵
        
        PID:4300
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im lucomserver.exe
        5⤵
        
        PID:1464
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im luspt.exe
        5⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcafee.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcagent.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcmnhdlr.exe
        5⤵
        
        PID:4456
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcshield.exe
        5⤵
        
        PID:1588
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcshieldvvstat.exe
        5⤵
        
        PID:4240
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mctool.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcupdate.exe
        5⤵
        
        PID:4392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcvsrte.exe
        5⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mcvsshld.exe
        5⤵
        
        PID:1500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mgavrtcl.exe
        5⤵
        
        PID:4744
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mgavrte.exe
        5⤵
        
        PID:3124
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mghtml.exe
        5⤵
        
        PID:4956
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mgui.exe
        5⤵
        Kills process with taskkill
        
        PID:4940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im minilog.exe
        5⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mon.exe
        5⤵
        Kills process with taskkill
        
        PID:3548
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im monitor.exe
        5⤵
        
        PID:3424
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im monsys32.exe
        5⤵
        Kills process with taskkill
        
        PID:1684
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im monsysnt.exe
        5⤵
        
        PID:5072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im moolive.exe
        5⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpfservice.exe
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mpftray.exe
        5⤵
        
        PID:4088
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mrflux.exe
        5⤵
        
        PID:3388
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im msinfo32.exe
        5⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mwatch.exe
        5⤵
        
        PID:3888
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mxtask.exe
        5⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im n32scanw.exe
        5⤵
        Kills process with taskkill
        
        PID:4352
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nav.exe
        5⤵
        
        PID:3412
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im NAV DefAlert.exe
        5⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nav32.exe
        5⤵
        
        PID:1008
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navalert.exe
        5⤵
        
        PID:4936
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navap.exe
        5⤵
        
        PID:4524
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navapsvc.exe
        5⤵
        
        PID:4176
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im NAVAPW32.exe
        5⤵
        Kills process with taskkill
        
        PID:4676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navauto -protect.exe
        5⤵
        
        PID:216
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navdx.exe
        5⤵
        
        PID:2372
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navengnavex15.exe
        5⤵
        
        PID:2416
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navlu32.exe
        5⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navnt.exe
        5⤵
        
        PID:4984
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navrunr.exe
        5⤵
        
        PID:2420
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navstub.exe
        5⤵
        
        PID:3980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im navw32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3096
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Navwnt.exe
        5⤵
        
        PID:4816
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nc2000.exe
        5⤵
        
        PID:4032
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ndd32.exe
        5⤵
        
        PID:664
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im neomonitor.exe
        5⤵
        
        PID:3448
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im neowatchlog.exe
        5⤵
        
        PID:3552
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im net2000.exe
        5⤵
        
        PID:744
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netarmor.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netcommando.exe
        5⤵
        
        PID:3224
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netinfo.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netmon.exe
        5⤵
        
        PID:1536
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netpro.exe
        5⤵
        
        PID:3524
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netprotect.exe
        5⤵
        
        PID:3204
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netscanpro.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netspyhunter -1.2.exe
        5⤵
        Kills process with taskkill
        
        PID:2780
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netstat.exe
        5⤵
        
        PID:3124
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netutils.exe
        5⤵
        
        PID:4956
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im netutils].exe
        5⤵
        
        PID:732
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nimda.exe
        5⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nisserv.exe
        5⤵
        
        PID:3344
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nisum.exe
        5⤵
        
        PID:2132
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nisumnisservnisum.exe
        5⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nmain.exe
        5⤵
        
        PID:4684
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nod32.exe
        5⤵
        
        PID:1824
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norman.exe
        5⤵
        
        PID:2236
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norman_32.exe
        5⤵
        Kills process with taskkill
        
        PID:2084
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norman_av.exe
        5⤵
        
        PID:4384
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norman32.exe
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im normanav.exe
        5⤵
        
        PID:4088
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im normist.exe
        5⤵
        
        PID:3420
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norton.exe
        5⤵
        
        PID:4220
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Norton Auto-Protect.exe
        5⤵
        
        PID:4408
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im norton_av.exe
        5⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nortonav.exe
        5⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im notstart.exe
        5⤵
        
        PID:1056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im npfmessenger.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im npfw.exe
        5⤵
        
        PID:808
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im npfw32.exe
        5⤵
        
        PID:1228
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nprotect.exe
        5⤵
        Kills process with taskkill
        
        PID:1436
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im npscheck.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im npssvc.exe
        5⤵
        
        PID:3932
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nresq32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nsched32.exe
        5⤵
        
        PID:812
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nschednt.exe
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nsplugin.exe
        5⤵
        
        PID:3144
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ntrtscan.exe
        5⤵
        Kills process with taskkill
        
        PID:8
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ntvdm.exe
        5⤵
        
        PID:1376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ntxconfig.exe
        5⤵
        
        PID:1444
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nui.exe
        5⤵
        Kills process with taskkill
        
        PID:4304
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nupgrade.exe
        5⤵
        
        PID:5056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nvarch16.exe
        5⤵
        
        PID:4512
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nvc95.exe
        5⤵
        
        PID:116
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nvsvc32.exe
        5⤵
        
        PID:436
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nwservice.exe
        5⤵
        
        PID:3116
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im nwtool16.exe
        5⤵
        Kills process with taskkill
        
        PID:2544
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im offguard.exe
        5⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im OPScan.exe
        5⤵
        
        PID:4364
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ostronet.exe
        5⤵
        
        PID:3860
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im outpost.exe
        5⤵
        
        PID:4760
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im padmin.exe
        5⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im panda.exe
        5⤵
        
        PID:3668
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pandaav.exe
        5⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im panixk.exe
        5⤵
        
        PID:3424
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pav.exe
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pavcl.exe
        5⤵
        
        PID:3788
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pavproxy.exe
        5⤵
        
        PID:1072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pavsched.exe
        5⤵
        
        PID:3572
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pavw.exe
        5⤵
        
        PID:1184
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pc -cillan.exe
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pc -cillin.exe
        5⤵
        
        PID:4388
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pccclient.exe
        5⤵
        
        PID:760
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pccguide.exe
        5⤵
        
        PID:3444
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pcciomon.exe
        5⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pccntmon.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pccwin97.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:432
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pccwin98.exe
        5⤵
        Kills process with taskkill
        
        PID:5028
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pcfwallicon.exe
        5⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pcscan.exe
        5⤵
        
        PID:4588
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im periscope.exe
        5⤵
        Kills process with taskkill
        
        PID:2004
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im persfw.exe
        5⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pf2.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:808
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pfwadmin.exe
        5⤵
        Kills process with taskkill
        
        PID:1228
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pingscan.exe
        5⤵
        
        PID:5064
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im platin.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pop3trap.exe
        5⤵
        
        PID:1472
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im poproxy.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3268
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im portdetective.exe
        5⤵
        
        PID:5108
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im portmonitor.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ppinupdt.exe
        5⤵
        
        PID:4984
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pptbc.exe
        5⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ppvstop.exe
        5⤵
        
        PID:4300
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im processmonitor.exe
        5⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im procexplorerv10#.exe
        5⤵
        
        PID:4032
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im programauditor.exe
        5⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im proport.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2400
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im protectx.exe
        5⤵
        
        PID:4456
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pspf.exe
        5⤵
        
        PID:3492
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im purge.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pview95.exe
        5⤵
        
        PID:3076
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im pw32.exe
        5⤵
        Kills process with taskkill
        
        PID:1256
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im qconsole.exe
        5⤵
        
        PID:3264
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rav.exe
        5⤵
        
        PID:516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rav7.exe
        5⤵
        Kills process with taskkill
        
        PID:4480
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rav7win.exe
        5⤵
        
        PID:4824
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im realmon.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regrun2.exe
        5⤵
        
        PID:864
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rescue.exe
        5⤵
        Kills process with taskkill
        
        PID:4940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rrguard.exe
        5⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rshell.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:816
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rtvscn95.exe
        5⤵
        
        PID:4672
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rulaunch.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:920
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im safeweb.exe
        5⤵
        
        PID:4780
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im SAVscan.exe
        5⤵
        
        PID:2980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sbserv.exe
        5⤵
        
        PID:3004
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im SBservice.exe
        5⤵
        Kills process with taskkill
        
        PID:3200
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im scan.exe
        5⤵
        
        PID:4748
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im scan32.exe
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im scan95.exe
        5⤵
        
        PID:4380
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im scanpm.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im scrscan.exe
        5⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sd.exe
        5⤵
        Kills process with taskkill
        
        PID:4248
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im SENS.exe
        5⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im serv95.exe
        5⤵
        Kills process with taskkill
        
        PID:4584
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sfc.exe
        5⤵
        
        PID:1676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sh.exe
        5⤵
        
        PID:5028
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sharedaccess.exe
        5⤵
        
        PID:3924
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im shn.exe
        5⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im smc.exe
        5⤵
        
        PID:2324
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sofi.exe
        5⤵
        
        PID:1016
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sophos.exe
        5⤵
        
        PID:4524
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sophos_av.exe
        5⤵
        
        PID:4324
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sophosav.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4868
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spf.exe
        5⤵
        
        PID:3132
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sphinx.exe
        5⤵
        
        PID:4312
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spy.exe
        5⤵
        
        PID:4884
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spygate.exe
        5⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spyx.exe
        5⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im spyxx.exe
        5⤵
        
        PID:3144
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im srwatch.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ss3edit.exe
        5⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im st2.exe
        5⤵
        
        PID:1132
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im supftrl.exe
        5⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im supp95.exe
        5⤵
        
        PID:5056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im supporter5.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:456
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sweep95.exe
        5⤵
        
        PID:5008
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sweepnet.exe
        5⤵
        
        PID:4272
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sweepsrv.sys.exe
        5⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sweepsrv.sysvshwin32.exe
        5⤵
        
        PID:3116
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im swnetsup.exe
        5⤵
        
        PID:3524
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im symantec.exe
        5⤵
        
        PID:516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Symantec Core LC.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im symlcsvc.exe
        5⤵
        
        PID:4364
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im symproxysvc.exe
        5⤵
        
        PID:3860
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im symtray.exe
        5⤵
        
        PID:3060
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sysedit.exe
        5⤵
        Kills process with taskkill
        
        PID:1428
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmon.exe
        5⤵
        
        PID:3548
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taumon.exe
        5⤵
        
        PID:4296
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tauscan.exe
        5⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tbscan.exe
        5⤵
        
        PID:4072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tcm.exe
        5⤵
        
        PID:3124
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tctca.exe
        5⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tds -3.exe
        5⤵
        Kills process with taskkill
        
        PID:1824
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tds2 -98.exe
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tds2 -nt.exe
        5⤵
        
        PID:5072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tfak.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tfak5.exe
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tgbob.exe
        5⤵
        
        PID:1184
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im trendmicro.exe
        5⤵
        
        PID:4380
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im trjscan.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im trojantrap3.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im TrueVector.exe
        5⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im undoboot.exe
        5⤵
        
        PID:3888
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im update.exe
        5⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vbcmserv.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:432
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vbcons.exe
        5⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vbust.exe
        5⤵
        Kills process with taskkill
        
        PID:1056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vbwin9x.exe
        5⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vbwinntw.exe
        5⤵
        
        PID:3844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vccmserv.exe
        5⤵
        
        PID:3276
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vcontrol.exe
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vet32.exe
        5⤵
        
        PID:5064
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vet95.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:396
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vettray.exe
        5⤵
        
        PID:3140
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vir -help.exe
        5⤵
        
        PID:3872
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im virus.exe
        5⤵
        
        PID:4548
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im virusmdpersonalfirewall.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4892
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vnlan300.exe
        5⤵
        
        PID:3120
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vnpc3000.exe
        5⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vpc32.exe
        5⤵
        
        PID:8
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vpfw30s.exe
        5⤵
        
        PID:4040
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vptray.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vscan40.exe
        5⤵
        
        PID:3448
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vsched.exe
        5⤵
        Kills process with taskkill
        
        PID:940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vsecomr.exe
        5⤵
        
        PID:5020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vshwin32.exe
        5⤵
        
        PID:860
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vshwin32vbcmserv.exe
        5⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vsmain.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vsmon.exe
        5⤵
        
        PID:3076
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vsstat.exe
        5⤵
        
        PID:3232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vswin9xe.exe
        5⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im vswinntse.exe
        5⤵
        
        PID:1232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im w9x.exe
        5⤵
        
        PID:4488
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im watchdog.exe
        5⤵
        
        PID:4960
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im webscanx.exe
        5⤵
        
        PID:3228
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im webtrap.exe
        5⤵
        
        PID:4468
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wfindv32.exe
        5⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wgfe95.exe
        5⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im whoswatchingme.exe
        5⤵
        
        PID:4368
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wimmun32.exe
        5⤵
        
        PID:4672
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im winrecon.exe
        5⤵
        
        PID:3700
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im winroute.exe
        5⤵
        
        PID:5036
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im winsfcm.exe
        5⤵
        
        PID:2296
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wnt.exe
        5⤵
        
        PID:3624
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wqkmm3878.exe
        5⤵
        
        PID:5072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wradmin.exe
        5⤵
        
        PID:392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wrctrl.exe
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wsbgate.exe
        5⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wyvernworksfirewall.exe
        5⤵
        Kills process with taskkill
        
        PID:3420
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im zapro.exe
        5⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im zatutor.exe
        5⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im zauinst.exe
        5⤵
        Kills process with taskkill
        
        PID:1676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im zonealarm.exe
        5⤵
        
        PID:5028
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kill /t REG_SZ /d c:\windows\Install.exe
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\3357312.exe
      "C:\Users\Admin\AppData\Local\Temp\3357312.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\SysWOW64\NIH.exe
        
        "C:\Windows\system32\NIH.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\7350972.exe
      "C:\Users\Admin\AppData\Local\Temp\7350972.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3357312.exe

Filesize
202KB

MD5
9268d5734eeba88a56547bc5d7f6034a

SHA1
66e053262d241698f2c611203fd1697f8837d806

SHA256
bcdd8253acad7e3c700c5731562757bbb6bf2ab1cdc6b017f7eeb2f9d08b1c1e

SHA512
8a6fd5938c8a5f3ba8bc1a8c5a14148a1ed351c6d2b9f2365d686045cb8a8309cec87ff036fd67d970fabaf002a186033924782a807e0598c7967d692f5eb29e

Download Submit
C:\Users\Admin\AppData\Local\Temp\422785.bat

Filesize
17KB

MD5
215d9acf1b4a99f61e49e79a8e083b74

SHA1
160fdf869acc0b497ab3fbceed4344537aa9d525

SHA256
be5ab46d10727b05f162cd2d65073bbb89c3cf7ceaab7d995736e7341dc7c307

SHA512
02e2d4829028000123a8436dc15c1a455a6480d5138f43a0e480f0fa5eedabd55a9796f92b92d800c052282b566f5707c88fb2567c2646aba077feb6f1bdeb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7350972.exe

Filesize
200KB

MD5
f5a8ec3c56be04678397908aced5f710

SHA1
3239460de2318ece427cd904a829808dce9b66ea

SHA256
9d068118cdb665746cf2e025214c3df3450a4a19f6592769c8a0abe20cf7227d

SHA512
2b4d6c24036c47e75ac34720043328d23927bf5b9b9e6decd0b380236925350a6240111c361cf1973a1a4400721c769518d76d3b80bed31b6f44cb188c75a090

Download Submit
C:\Users\Admin\AppData\Local\Temp\@CFD3.tmp

Filesize
4KB

MD5
3e52aef4a9e1bbf25dc611e0f5c45934

SHA1
91862bee5ac57eb719cf9bc14c69f9ef5affcbbf

SHA256
1b881b4299a8555f785088bd0e1b6969e76dc470f1f67429678a678c5f8b349d

SHA512
e4bc9fab4d1c555a896936927ff5866634885401a41f2eade5a976311dad3cdc40c0c7229c61925a8b32ae7b69c4c99537dc10baf292375a82a885a7a908a807

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt0222.bat

Filesize
18B

MD5
c05407967c329e698a912d4bee44be62

SHA1
ba81f0b1f2dfdb71c30d580987f5d7ceb0b9b2de

SHA256
85c2e828e759f9f7495cb85a2aa4e360670ea43551486dafe2ff1cda77b067a4

SHA512
0402d2273ca0755423b5fd3c92ce0d89e1238a54a88d8f2df56cdcab9077026af88ac1abe6bbb8c0df8e2ff5883cef521afab4fda99967254e911dfcb41e897e

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste3.exe

Filesize
863KB

MD5
35c340b45a3af572e48854e7ad0b177d

SHA1
0a36360c24cb7cf31c95e9f908f7d16cd126e04f

SHA256
2ccd3429ccb40be59497993dfd1fa7f02ffcf9c76b7fa66bc2829a9885234ad8

SHA512
ccaa6b5b534f81258bf458280cf9185a8519366ecc63b2a4db373d174a54fa7394d3747c2ec999918272f0cd4076cfd8c51825a4b504feec62d233dca425a8ad

Download Submit
C:\Windows\SysWOW64\NIH.001

Filesize
2KB

MD5
0230f432bc8e345d53965fce1fc78a5d

SHA1
fa2e5cc7e7ce41c73e7bdb2e7c354a3fe3ef2a2a

SHA256
8a1b706aa5dde542e6dcbe562a4d37513779f8c9b32ee17e040d232b594c9b4f

SHA512
0c6044b85424994e7130ff8d4b5ed0c2ffde827e28bc63068957a0719cf651bcfabae9c0d250e8c24f6d32fa81ff88d8388e39f6ba6251e0ac67984983609615

Download Submit
C:\Windows\SysWOW64\NIH.006

Filesize
5KB

MD5
e98ae645054f00269eaad44b95c4e37c

SHA1
59bcfb291cb15f521e6e5982c12913052b5755b1

SHA256
028e4ef0ed6a7d9792ad2694c56b41ba247e72ef690089142c47bb6e1a693221

SHA512
ae4b1316c9785623944a0bc1884648f1382f3f8fb494927e7c872a72b0786fb5a1d090ebc2d5e468b91c8eef7663b43f73be4a1f65f7d8dd9bdaa6dfc694a35e

Download Submit
C:\Windows\SysWOW64\NIH.007

Filesize
4KB

MD5
ea32497496dd6b80be1c47fe5fac1fcf

SHA1
2bf9bee8e0f83b6785188a91047695ebcdf342da

SHA256
370a94fec91220668a370c2dcd0d2ac10c3f0a1d1befc7fee50db6f5e0b99676

SHA512
353d11071b695fe23080bc6d5cb5dc557b59b152b42921daec6f4124f9e8bb58555ac30c5ec96dae31871ff3d2416e91690b5f862d4feb5e7b038a996c8a1ff3

Download Submit
C:\Windows\SysWOW64\NIH.exe

Filesize
295KB

MD5
decf3769c920a9b642f56e24933cdf81

SHA1
930ddaf6b310fa2b3569580ff671e91d80b8b11b

SHA256
46a451f14816a0dc46d392158d1507f5806fe76e9fc9f0080d00d0b3dd26183b

SHA512
2807345e5ae0438c0bd41c3d0b6b09e3d1c04d0397e5e990d614125a14b6100de3c3f5bebab168f5654d6823eef5dbfd5a878aa0de64eec13bb546c8c32b8cb2

Download Submit
memory/868-57-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-62-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-71-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-58-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-59-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-60-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-61-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-48-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-63-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-64-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-65-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-66-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-68-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-69-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-70-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4468-7-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download