modiloader | e3914df012317c975ea93e9a5a909d45edf8c8f255128c5273e0a9e657801887

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe
Size

295KB
MD5

ee44bfee7f9731b490a0d4ddad2a3023
SHA1

e4067b14ba4ff104d720480015aa3b6cdafb93a8
SHA256

e3914df012317c975ea93e9a5a909d45edf8c8f255128c5273e0a9e657801887
SHA512

69877db15695dd96487fafd42830a47106365bf5b38b4d89c5e1df3edb25e9982bd933868ca13bc37d874df00a6ece2b86bf77b095d9179a65b25e68ad2beb4f
SSDEEP

6144:911G377xS2Vp2CeiorXdwTBgWx4v53kpcCJJvHvu2:LYr7xS2Vp6RwTyCFbJJvH5

Score

10^/10

modiloader discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwai32.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012280-2.dat	modiloader_stage2
behavioral1/memory/2712-28-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-35-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-40-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-43-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-46-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-49-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-52-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-55-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-58-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-61-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-64-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-67-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-70-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-73-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-76-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2712	Test.exe
2764	mstwai32.exe

Loads dropped DLL 3 IoCs

pid	Process
2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe
2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe
2712	Test.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwai32 = "C:\\Windows\\mstwai32.exe"	mstwai32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Test.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwai32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwai32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Test.exe	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Ultimate AV Killer By Royal 07 10 07.bat	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mstwai32.exe	Test.exe
File opened for modification	C:\Windows\mstwai32.exe	Test.exe
File created	C:\Windows\ntdtcstp.dll	mstwai32.exe
File created	C:\Windows\cmsetac.dll	mstwai32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2744	taskkill.exe
3008	taskkill.exe
1312	taskkill.exe
1812	taskkill.exe
1196	taskkill.exe
1312	taskkill.exe
2912	taskkill.exe
2776	taskkill.exe
2608	taskkill.exe
1140	taskkill.exe
2564	taskkill.exe
2448	taskkill.exe
2608	taskkill.exe
2816	taskkill.exe
2912	taskkill.exe
1380	taskkill.exe
2756	taskkill.exe
2564	taskkill.exe
3004	taskkill.exe
1764	taskkill.exe
2812	taskkill.exe
1696	taskkill.exe
2104	taskkill.exe
936	taskkill.exe
616	taskkill.exe
1992	taskkill.exe
2500	taskkill.exe
2880	taskkill.exe
2420	taskkill.exe
1380	taskkill.exe
572	taskkill.exe
2124	taskkill.exe
856	taskkill.exe
1028	taskkill.exe
1948	taskkill.exe
2768	taskkill.exe
1988	taskkill.exe
2116	taskkill.exe
1056	taskkill.exe
1256	taskkill.exe
2104	taskkill.exe
2376	taskkill.exe
2832	taskkill.exe
2984	taskkill.exe
856	taskkill.exe
2172	taskkill.exe
2948	taskkill.exe
1992	taskkill.exe
2264	taskkill.exe
2072	taskkill.exe
1560	taskkill.exe
1140	taskkill.exe
2576	taskkill.exe
1756	taskkill.exe
2392	taskkill.exe
2520	taskkill.exe
2548	taskkill.exe
1724	taskkill.exe
2412	taskkill.exe
2656	taskkill.exe
1524	taskkill.exe
2128	taskkill.exe
2072	taskkill.exe
1576	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	Test.exe
Token: SeDebugPrivilege	2764	mstwai32.exe
Token: SeDebugPrivilege	2764	mstwai32.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2744	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2764	mstwai32.exe
2764	mstwai32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2712	2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2712	2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2712	2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2712	2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2708	2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2748	2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2748	2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2748	2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2748	2380	ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2764	2712	Test.exe	34
PID 2712 wrote to memory of 2764	2712	Test.exe	34
PID 2712 wrote to memory of 2764	2712	Test.exe	34
PID 2712 wrote to memory of 2764	2712	Test.exe	34
PID 2748 wrote to memory of 2564	2748	cmd.exe	35
PID 2748 wrote to memory of 2564	2748	cmd.exe	35
PID 2748 wrote to memory of 2564	2748	cmd.exe	35
PID 2748 wrote to memory of 2564	2748	cmd.exe	35
PID 2748 wrote to memory of 2196	2748	cmd.exe	37
PID 2748 wrote to memory of 2196	2748	cmd.exe	37
PID 2748 wrote to memory of 2196	2748	cmd.exe	37
PID 2748 wrote to memory of 2196	2748	cmd.exe	37
PID 2748 wrote to memory of 1672	2748	cmd.exe	38
PID 2748 wrote to memory of 1672	2748	cmd.exe	38
PID 2748 wrote to memory of 1672	2748	cmd.exe	38
PID 2748 wrote to memory of 1672	2748	cmd.exe	38
PID 2748 wrote to memory of 2912	2748	cmd.exe	39
PID 2748 wrote to memory of 2912	2748	cmd.exe	39
PID 2748 wrote to memory of 2912	2748	cmd.exe	39
PID 2748 wrote to memory of 2912	2748	cmd.exe	39
PID 2748 wrote to memory of 2932	2748	cmd.exe	40
PID 2748 wrote to memory of 2932	2748	cmd.exe	40
PID 2748 wrote to memory of 2932	2748	cmd.exe	40
PID 2748 wrote to memory of 2932	2748	cmd.exe	40
PID 2748 wrote to memory of 2256	2748	cmd.exe	41
PID 2748 wrote to memory of 2256	2748	cmd.exe	41
PID 2748 wrote to memory of 2256	2748	cmd.exe	41
PID 2748 wrote to memory of 2256	2748	cmd.exe	41
PID 2748 wrote to memory of 2052	2748	cmd.exe	42
PID 2748 wrote to memory of 2052	2748	cmd.exe	42
PID 2748 wrote to memory of 2052	2748	cmd.exe	42
PID 2748 wrote to memory of 2052	2748	cmd.exe	42
PID 2748 wrote to memory of 2440	2748	cmd.exe	43
PID 2748 wrote to memory of 2440	2748	cmd.exe	43
PID 2748 wrote to memory of 2440	2748	cmd.exe	43
PID 2748 wrote to memory of 2440	2748	cmd.exe	43
PID 2748 wrote to memory of 1164	2748	cmd.exe	44
PID 2748 wrote to memory of 1164	2748	cmd.exe	44
PID 2748 wrote to memory of 1164	2748	cmd.exe	44
PID 2748 wrote to memory of 1164	2748	cmd.exe	44
PID 2748 wrote to memory of 2072	2748	cmd.exe	45
PID 2748 wrote to memory of 2072	2748	cmd.exe	45
PID 2748 wrote to memory of 2072	2748	cmd.exe	45
PID 2748 wrote to memory of 2072	2748	cmd.exe	45
PID 2748 wrote to memory of 2868	2748	cmd.exe	46
PID 2748 wrote to memory of 2868	2748	cmd.exe	46
PID 2748 wrote to memory of 2868	2748	cmd.exe	46
PID 2748 wrote to memory of 2868	2748	cmd.exe	46
PID 2748 wrote to memory of 2640	2748	cmd.exe	47
PID 2748 wrote to memory of 2640	2748	cmd.exe	47
PID 2748 wrote to memory of 2640	2748	cmd.exe	47
PID 2748 wrote to memory of 2640	2748	cmd.exe	47

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwai32.exe

C:\Users\Admin\AppData\Local\Temp\ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee44bfee7f9731b490a0d4ddad2a3023_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\Test.exe
  "C:\Windows\system32\Test.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\mstwai32.exe
    "C:\Windows\mstwai32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2764
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\CSS Unknow Cheats.txt
  2⤵
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\system32\Ultimate AV Killer By Royal 07 10 07.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im egui.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32krn.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kav.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kavmm.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgemc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgamsvr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgupsvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgw.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashdisp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashmaisv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashserv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im aswupdsv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ewidoctrl.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guard.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im gcasdtserv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msmpeng.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcafee.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskkill mghml.exe
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im outpost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im isafe.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im minilog.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zonealarm.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zlclient.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im updclient.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccapp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navw32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navapsvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccsetmgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cccproxy.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccapp.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccevtmgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npfmntor.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im logexprt.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nisum.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im issvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cpdclnt.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavprsrv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavprot.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avengine.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pvxdwin.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im webproxy.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vguard.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgnt.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im shed.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avsched32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sccomm.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spiderml.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sgmain.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spywareguard.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kpf4gui.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kpf4ss.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcdash.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcdetect.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcregwiz.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcinfo.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mghtml.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im oasclnt.exe
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfagent.exe
    3⤵
    PID:708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfconsole.exe
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfservice.exe
    3⤵
    PID:856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpftray.exe
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfwizard.exe
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mvtx.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im _avp32.exe
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im _avpcc.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im _avpm.exe
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ackwin32.exe
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im advxdwin.exe
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im agentsvr.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im agv.exe
    3⤵
    PID:696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ahnsd.exe
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im alertsvc.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im alogserv.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im amon.exe
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im amon9x.exe
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im amonavp32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im anti -trojan.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im antivir.exe
    3⤵
    - Kills process with taskkill
    PID:2412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im antivirus.exe
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ants.exe
    3⤵
    - Kills process with taskkill
    PID:3008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im antssircam.exe
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im apimonitor.exe
    3⤵
    - Kills process with taskkill
    PID:2172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im aplica32.exe
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im apvxdwin.exe
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atcon.exe
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atguard.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ats.exe
    3⤵
    - Kills process with taskkill
    PID:2756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atscan.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atupdater.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im atwatch.exe
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im autodown.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im autotrace.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im autoupdate.exe
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avconsol.exe
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ave32.exe
    3⤵
    - Kills process with taskkill
    PID:2880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc32.exe
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgctrl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv.exe
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv9.exe
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv9schedapp.exe
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgw.exe
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkpop.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkserv.exe
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkservice.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkwcl9.exe
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avkwctl9.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avnt.exe
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avp32.exe
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpcc.exe
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im AVPCC Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpccavpm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpdos32.exe
    3⤵
    PID:408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpexec.exe
    3⤵
    - Kills process with taskkill
    PID:2420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpinst.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpm.exe
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpmonitor.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avptc.exe
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avptc32.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpupd.exe
    3⤵
    PID:696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avpupdates.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avrescue.exe
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avsched32.exe
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avsynmgr.exe
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avwin95.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avwinnt.exe
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avwupd32.exe
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxgui.exe
    3⤵
    - Kills process with taskkill
    PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxinit.exe
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxlive.exe
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxmonitor9x.exe
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxmonitornt.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxnews.exe
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxquar.exe
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxsch.exe
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avxw.exe
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BACKLOG.exe
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bd_professional.exe
    3⤵
    - Kills process with taskkill
    PID:2768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bidef.exe
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bidserver.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bipcp.exe
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bisp.exe
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im blackd.exe
    3⤵
    - Kills process with taskkill
    PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im blackice.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im blackiceblackd.exe
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BootWarn.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im borg2.exe
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bs120.exe
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bullguard.exe
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccApp.exe
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccevtmgr.exe
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccIMScan.exe
    3⤵
    - Kills process with taskkill
    PID:2072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccPwdSrc.exe
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccpxysvc.exe
    3⤵
    PID:332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccSetMgr.exe
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cdp.exe
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cfiadmin.exe
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cfiaudit.exe
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cfinet.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cfinet32.exe
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im claw95.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im claw95cf.exe
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clean.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cleaner.exe
    3⤵
    - Kills process with taskkill
    PID:1988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cleaner3.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cleanpc.exe
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmgrdian.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmon016.exe
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im codered.exe
    3⤵
    - Kills process with taskkill
    PID:1576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im connectionmonitor.exe
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conseal.exe
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cpd.exe
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cpf9x206.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ctrl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defalert.exe
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defence.exe
    3⤵
    - Kills process with taskkill
    PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defense.exe
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defscangui.exe
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im defwatch.exe
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im deputy.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im doors.exe
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dpf.exe
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im drwatson.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im drweb32.exe
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dvp95.exe
    3⤵
    - Kills process with taskkill
    PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dvp95_0.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ecengine.exe
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im edisk.exe
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im efpeadm.exe
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im esafe.exe
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im escanh95.exe
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im escanhnt.exe
    3⤵
    - Kills process with taskkill
    PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im escanv95.exe
    3⤵
    - Kills process with taskkill
    PID:2912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im espwatch.exe
    3⤵
    PID:600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im etrustcipe.exe
    3⤵
    - Kills process with taskkill
    PID:1380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im evpn.exe
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im exantivirus -cnet.exe
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fameh32.exe
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fast.exe
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fch32.exe
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fih32.exe
    3⤵
    PID:588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im findviru.exe
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im firewall.exe
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fix-it.exe
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im flowprotector.exe
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fnrb32.exe
    3⤵
    - Kills process with taskkill
    PID:572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fp -win.exe
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fp -win_trial.exe
    3⤵
    - Kills process with taskkill
    PID:1140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fprot.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im frw.exe
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsaa.exe
    3⤵
    - Kills process with taskkill
    PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsav32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsav95.exe
    3⤵
    - Kills process with taskkill
    PID:1056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsave32.exe
    3⤵
    PID:840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsgk32.exe
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsm32.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsma32.exe
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fsmb32.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fwenc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im gbmenu.exe
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im gbpoll.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im gedit.exe
    3⤵
    PID:984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im generics.exe
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im grief3878.exe
    3⤵
    PID:352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guard.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guarddog.exe
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HackerEliminator.exe
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iamapp.exe
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iamserv.exe
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iamstats.exe
    3⤵
    - Kills process with taskkill
    PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ibmasn.exe
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ibmavsp.exe
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icload95.exe
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icloadnt.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icmon.exe
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icsupp95.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im icsuppnt.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iface.exe
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ifw2000.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im inoculateit.exe
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iomon98.exe
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iparmor.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iris.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im isrv95.exe
    3⤵
    - Kills process with taskkill
    PID:2656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im jammer.exe
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im jedi.exe
    3⤵
    - Kills process with taskkill
    PID:1524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kavpf.exe
    3⤵
    PID:316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ldnetmon.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ldpromenu.exe
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ldscan.exe
    3⤵
    PID:264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im localnet.exe
    3⤵
    PID:820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lockdown.exe
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lookout.exe
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im luall.exe
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lucomserver.exe
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im luspt.exe
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcafee.exe
    3⤵
    - Kills process with taskkill
    PID:2124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcagent.exe
    3⤵
    PID:448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcmnhdlr.exe
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcshield.exe
    3⤵
    - Kills process with taskkill
    PID:2128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcshieldvvstat.exe
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mctool.exe
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcupdate.exe
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcvsrte.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcvsshld.exe
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mgavrtcl.exe
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mgavrte.exe
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mghtml.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mgui.exe
    3⤵
    PID:616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im minilog.exe
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mon.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im monitor.exe
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im monsys32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im monsysnt.exe
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im moolive.exe
    3⤵
    PID:888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpfservice.exe
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mpftray.exe
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mrflux.exe
    3⤵
    - Kills process with taskkill
    PID:2776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo32.exe
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mwatch.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mxtask.exe
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im n32scanw.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nav.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im NAV DefAlert.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nav32.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navalert.exe
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navap.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navapsvc.exe
    3⤵
    - Kills process with taskkill
    PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im NAVAPW32.exe
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navauto -protect.exe
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navdx.exe
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navengnavex15.exe
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navlu32.exe
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navnt.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navrunr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navstub.exe
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navw32.exe
    3⤵
    PID:316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Navwnt.exe
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nc2000.exe
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ndd32.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im neomonitor.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im neowatchlog.exe
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im net2000.exe
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netarmor.exe
    3⤵
    - Kills process with taskkill
    PID:2264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netcommando.exe
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netinfo.exe
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netmon.exe
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netpro.exe
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netprotect.exe
    3⤵
    PID:708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netscanpro.exe
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netspyhunter -1.2.exe
    3⤵
    - Kills process with taskkill
    PID:936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netstat.exe
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netutils.exe
    3⤵
    PID:920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im netutils].exe
    3⤵
    - Kills process with taskkill
    PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nimda.exe
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nisserv.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nisum.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nisumnisservnisum.exe
    3⤵
    - Kills process with taskkill
    PID:1312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nmain.exe
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32.exe
    3⤵
    - Kills process with taskkill
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norman.exe
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norman_32.exe
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norman_av.exe
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norman32.exe
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im normanav.exe
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im normist.exe
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton.exe
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Norton Auto-Protect.exe
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton_av.exe
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nortonav.exe
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im notstart.exe
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npfmessenger.exe
    3⤵
    PID:900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npfw.exe
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npfw32.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nprotect.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npscheck.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npssvc.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nresq32.exe
    3⤵
    - Kills process with taskkill
    PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nsched32.exe
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nschednt.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nsplugin.exe
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntrtscan.exe
    3⤵
    PID:600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntvdm.exe
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntxconfig.exe
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nui.exe
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nupgrade.exe
    3⤵
    - Kills process with taskkill
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nvarch16.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nvc95.exe
    3⤵
    PID:536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nvsvc32.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nwservice.exe
    3⤵
    PID:332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nwtool16.exe
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im offguard.exe
    3⤵
    - Kills process with taskkill
    PID:856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OPScan.exe
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ostronet.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im outpost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im padmin.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im panda.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pandaav.exe
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im panixk.exe
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pav.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavcl.exe
    3⤵
    - Kills process with taskkill
    PID:2520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavproxy.exe
    3⤵
    PID:920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavsched.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pavw.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pc -cillan.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pc -cillin.exe
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccclient.exe
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccguide.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pcciomon.exe
    3⤵
    PID:640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccntmon.exe
    3⤵
    PID:984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccwin97.exe
    3⤵
    PID:844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pccwin98.exe
    3⤵
    PID:352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pcfwallicon.exe
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pcscan.exe
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im periscope.exe
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im persfw.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pf2.exe
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pfwadmin.exe
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pingscan.exe
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im platin.exe
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pop3trap.exe
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im poproxy.exe
    3⤵
    PID:900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im portdetective.exe
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im portmonitor.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ppinupdt.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pptbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ppvstop.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im processmonitor.exe
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im procexplorerv10#.exe
    3⤵
    - Kills process with taskkill
    PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im programauditor.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im proport.exe
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im protectx.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pspf.exe
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im purge.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pview95.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im pw32.exe
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im qconsole.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rav.exe
    3⤵
    PID:536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rav7.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rav7win.exe
    3⤵
    PID:332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im realmon.exe
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regrun2.exe
    3⤵
    PID:856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rescue.exe
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rrguard.exe
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rshell.exe
    3⤵
    - Kills process with taskkill
    PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rtvscn95.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rulaunch.exe
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im safeweb.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SAVscan.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sbserv.exe
    3⤵
    PID:936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SBservice.exe
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scan.exe
    3⤵
    PID:920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scan32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scan95.exe
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scanpm.exe
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im scrscan.exe
    3⤵
    - Kills process with taskkill
    PID:616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sd.exe
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SENS.exe
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im serv95.exe
    3⤵
    - Kills process with taskkill
    PID:1812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sfc.exe
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sh.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sharedaccess.exe
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im shn.exe
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im smc.exe
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sofi.exe
    3⤵
    - Kills process with taskkill
    PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sophos.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sophos_av.exe
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sophosav.exe
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spf.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sphinx.exe
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spy.exe
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spygate.exe
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spyx.exe
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spyxx.exe
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im srwatch.exe
    3⤵
    PID:328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ss3edit.exe
    3⤵
    - Kills process with taskkill
    PID:2912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im st2.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im supftrl.exe
    3⤵
    PID:544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im supp95.exe
    3⤵
    - Kills process with taskkill
    PID:1380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im supporter5.exe
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sweep95.exe
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sweepnet.exe
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sweepsrv.sys.exe
    3⤵
    - Kills process with taskkill
    PID:1724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sweepsrv.sysvshwin32.exe
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im swnetsup.exe
    3⤵
    - Kills process with taskkill
    PID:2812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symantec.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Symantec Core LC.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symlcsvc.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symproxysvc.exe
    3⤵
    PID:332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symtray.exe
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysedit.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmon.exe
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taumon.exe
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tauscan.exe
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tbscan.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tcm.exe
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tctca.exe
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tds -3.exe
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tds2 -98.exe
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tds2 -nt.exe
    3⤵
    - Kills process with taskkill
    PID:2500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tfak.exe
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tfak5.exe
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tgbob.exe
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im trendmicro.exe
    3⤵
    PID:764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im trjscan.exe
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im trojantrap3.exe
    3⤵
    PID:356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im TrueVector.exe
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im undoboot.exe
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im update.exe
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbcmserv.exe
    3⤵
    PID:352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbcons.exe
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbust.exe
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbwin9x.exe
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vbwinntw.exe
    3⤵
    - Kills process with taskkill
    PID:2376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vccmserv.exe
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vcontrol.exe
    3⤵
    - Kills process with taskkill
    PID:2392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vet32.exe
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vet95.exe
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vettray.exe
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vir -help.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im virus.exe
    3⤵
    PID:900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im virusmdpersonalfirewall.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vnlan300.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vnpc3000.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vpc32.exe
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vpfw30s.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vptray.exe
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vscan40.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsched.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsecomr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vshwin32.exe
    3⤵
    PID:600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vshwin32vbcmserv.exe
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsmain.exe
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsmon.exe
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsstat.exe
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vswin9xe.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vswinntse.exe
    3⤵
    PID:536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im w9x.exe
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im watchdog.exe
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im webscanx.exe
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im webtrap.exe
    3⤵
    - Kills process with taskkill
    PID:2832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wfindv32.exe
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wgfe95.exe
    3⤵
    - Kills process with taskkill
    PID:2984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im whoswatchingme.exe
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wimmun32.exe
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winrecon.exe
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winroute.exe
    3⤵
    PID:840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winsfcm.exe
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wnt.exe
    3⤵
    - Kills process with taskkill
    PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wqkmm3878.exe
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wradmin.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wrctrl.exe
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wsbgate.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wyvernworksfirewall.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zapro.exe
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zatutor.exe
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zauinst.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zonealarm.exe
    3⤵
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CSS Unknow Cheats.txt

Filesize
633B

MD5
6db068432c12c5f2171adba9712054a0

SHA1
299ba04fd1b7ee88c8eba2156ed71b74e0ed2cb0

SHA256
651d73262b3f8deb4eaedcb4080c23aa533db7617da3eee284fdf57f57a10e18

SHA512
0a172dd5621a38ea182aa592f95628606143f3b019f1bb18b2ebe59f8c928edcfb415275fa3592a8339f26b1a566d425c18e52d345e26f94f06dcf7ab23b56dc

Download Submit
C:\Windows\SysWOW64\Ultimate AV Killer By Royal 07 10 07.bat

Filesize
15KB

MD5
2c403069bcf6215c0a9a422928b41497

SHA1
95d8e4697bc30a713e897ee3f03e2188091d540a

SHA256
afa1eff5e824055b4e54103e9021eaf84d906f9ca34d067bf61af13f5e55de4c

SHA512
c869d9aae842f28f00625a2ff091c51c982273b2bd74096e45a108b25e0bd2b8dbba157034acc97fbe13872220f5de20ace062c0bbb2112cdbc877a5ee9b7378

Download Submit
\Windows\SysWOW64\Test.exe

Filesize
270KB

MD5
d5698f0305f77827eb3277454a1f868c

SHA1
dedb5acd354079ac4352ad17737f84348298938b

SHA256
a9816b715562c9aedcfe7cab14b6da51c6d2483936d64beee5ce61b30bc3374e

SHA512
c14c22f735742b416893b6bdd2c90aed435e9ee0b1db638666ca4c32717dc7e40a67df12d4b9ca65135b5477ed76b442f49bc0ecd4c84bd8828ad5152e8c8f79

Download Submit
memory/2712-28-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-46-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-55-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-36-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/2764-35-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-40-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-43-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-32-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/2764-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-52-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-37-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/2764-58-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-61-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-64-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-67-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-70-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-73-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads