modiloader | 9cadd4db012a3ece0d1de8e2ef1b329ca18e46566404c2126a9407e5d94fe194

Analysis

max time kernel
59s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe
Size

304KB
MD5

ddf5f57e2e4164c5e305b726c2427470
SHA1

2b60fc3776c17305a78f4d442cfbd6d673872dd8
SHA256

9cadd4db012a3ece0d1de8e2ef1b329ca18e46566404c2126a9407e5d94fe194
SHA512

88b795de0e4d1bc877244456ce9c14f7fb79c646a01efb6874a76d933ae2d97704fff8fe769a551f51973cc630238d0b9c2c458fbc74535b74e3301c1754ddd1
SSDEEP

6144:JLvB9JiKpeOm9HqkSs80QhYXnOdy/63e3hMSnEjBSBI8L:BAcrm9KKQa+I+KTEjBo

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 33 IoCs

resource	yara_rule
behavioral1/memory/3016-32-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2348-44-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-56-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-73-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2840-89-0x0000000003BE0000-0x0000000003CC5000-memory.dmp	modiloader_stage2
behavioral1/memory/2840-92-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-111-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/1144-110-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/1144-131-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2596-149-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2108-150-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2108-166-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2108-165-0x0000000003D00000-0x0000000003DE5000-memory.dmp	modiloader_stage2
behavioral1/memory/2056-179-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2056-176-0x0000000003DC0000-0x0000000003EA5000-memory.dmp	modiloader_stage2
behavioral1/memory/1568-192-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/1568-191-0x0000000003DC0000-0x0000000003EA5000-memory.dmp	modiloader_stage2
behavioral1/memory/2440-205-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2440-204-0x0000000003C90000-0x0000000003D75000-memory.dmp	modiloader_stage2
behavioral1/memory/2440-203-0x0000000003C90000-0x0000000003D75000-memory.dmp	modiloader_stage2
behavioral1/memory/112-218-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2252-230-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2992-240-0x0000000003E00000-0x0000000003EE5000-memory.dmp	modiloader_stage2
behavioral1/memory/2992-242-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2816-254-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/1956-265-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/1048-279-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/1048-276-0x0000000003DB0000-0x0000000003E95000-memory.dmp	modiloader_stage2
behavioral1/memory/1792-286-0x0000000003570000-0x000000000357C000-memory.dmp	modiloader_stage2
behavioral1/memory/1792-289-0x0000000003BF0000-0x0000000003CD5000-memory.dmp	modiloader_stage2
behavioral1/memory/1792-291-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/692-303-0x0000000000400000-0x00000000004E5000-memory.dmp	modiloader_stage2
behavioral1/memory/2420-315-0x0000000005470000-0x0000000005555000-memory.dmp	modiloader_stage2

Executes dropped EXE 64 IoCs

pid	Process
2412	xp_dn32.exe
2348	msdn32.exe
2992	xp_dn32.exe
2744	msdn32.exe
2788	xp_dn32.exe
2660	msdn32.exe
2028	xp_dn32.exe
2840	msdn32.exe
2132	xp_dn32.exe
1972	msdn32.exe
1564	xp_dn32.exe
1144	msdn32.exe
2072	xp_dn32.exe
2596	msdn32.exe
1240	xp_dn32.exe
2108	msdn32.exe
1852	xp_dn32.exe
2056	msdn32.exe
984	xp_dn32.exe
1568	msdn32.exe
2152	xp_dn32.exe
2440	msdn32.exe
3032	xp_dn32.exe
112	msdn32.exe
1556	xp_dn32.exe
2252	msdn32.exe
1836	xp_dn32.exe
2992	msdn32.exe
2912	xp_dn32.exe
2816	msdn32.exe
2788	xp_dn32.exe
1956	msdn32.exe
1992	xp_dn32.exe
1048	msdn32.exe
556	xp_dn32.exe
1792	msdn32.exe
1976	xp_dn32.exe
692	msdn32.exe
1800	xp_dn32.exe
2420	msdn32.exe
2116	xp_dn32.exe
3008	msdn32.exe
2944	xp_dn32.exe
836	msdn32.exe
2180	xp_dn32.exe
1244	msdn32.exe
1492	xp_dn32.exe
2800	msdn32.exe
984	xp_dn32.exe
1292	msdn32.exe
2988	xp_dn32.exe
1348	msdn32.exe
1736	xp_dn32.exe
1776	msdn32.exe
1028	xp_dn32.exe
2536	msdn32.exe
2936	xp_dn32.exe
2068	msdn32.exe
2984	xp_dn32.exe
2248	msdn32.exe
2952	xp_dn32.exe
2328	msdn32.exe
2184	xp_dn32.exe
2744	msdn32.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe

Loads dropped DLL 64 IoCs

pid	Process
3016	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe
3016	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe
3016	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe
3016	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe
2348	msdn32.exe
2348	msdn32.exe
2348	msdn32.exe
2348	msdn32.exe
2744	msdn32.exe
2744	msdn32.exe
2744	msdn32.exe
2744	msdn32.exe
2660	msdn32.exe
2660	msdn32.exe
2660	msdn32.exe
2660	msdn32.exe
2840	msdn32.exe
2840	msdn32.exe
2840	msdn32.exe
2840	msdn32.exe
1972	msdn32.exe
1972	msdn32.exe
1972	msdn32.exe
1972	msdn32.exe
1144	msdn32.exe
1144	msdn32.exe
1144	msdn32.exe
1144	msdn32.exe
2596	msdn32.exe
2596	msdn32.exe
2596	msdn32.exe
2596	msdn32.exe
2108	msdn32.exe
2108	msdn32.exe
2108	msdn32.exe
2108	msdn32.exe
2056	msdn32.exe
2056	msdn32.exe
2056	msdn32.exe
2056	msdn32.exe
1568	msdn32.exe
1568	msdn32.exe
1568	msdn32.exe
1568	msdn32.exe
2440	msdn32.exe
2440	msdn32.exe
2440	msdn32.exe
2440	msdn32.exe
112	msdn32.exe
112	msdn32.exe
112	msdn32.exe
112	msdn32.exe
2252	msdn32.exe
2252	msdn32.exe
2252	msdn32.exe
2252	msdn32.exe
2992	msdn32.exe
2992	msdn32.exe
2992	msdn32.exe
2992	msdn32.exe
2816	msdn32.exe
2816	msdn32.exe
2816	msdn32.exe
2816	msdn32.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3016-0-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/files/0x0008000000016c7c-6.dat	upx
behavioral1/memory/2412-15-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/3016-12-0x00000000020F0000-0x00000000020FC000-memory.dmp	upx
behavioral1/memory/2412-17-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/2348-27-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/3016-26-0x0000000003E40000-0x0000000003F25000-memory.dmp	upx
behavioral1/files/0x000a000000012291-25.dat	upx
behavioral1/memory/2992-38-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/3016-32-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2348-44-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2348-42-0x0000000003F20000-0x0000000004005000-memory.dmp	upx
behavioral1/memory/2788-50-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/2660-54-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2744-56-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2028-68-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/2660-73-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2132-86-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/2840-89-0x0000000003BE0000-0x0000000003CC5000-memory.dmp	upx
behavioral1/memory/2840-92-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/1564-105-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/1972-111-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/1144-110-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2072-123-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/2596-129-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/1144-128-0x0000000003CE0000-0x0000000003DC5000-memory.dmp	upx
behavioral1/memory/1144-131-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/1240-144-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/2596-149-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2108-150-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/1852-162-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/2108-166-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2108-165-0x0000000003D00000-0x0000000003DE5000-memory.dmp	upx
behavioral1/memory/984-175-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/2056-179-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/1568-177-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2152-189-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/1568-192-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/3032-200-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/112-206-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2440-205-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/1556-214-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/112-218-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/1836-226-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/2252-230-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2912-239-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/2992-240-0x0000000003E00000-0x0000000003EE5000-memory.dmp	upx
behavioral1/memory/2992-242-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2788-251-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/2816-254-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/1992-262-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/1956-265-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/556-274-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/1048-279-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/1048-276-0x0000000003DB0000-0x0000000003E95000-memory.dmp	upx
behavioral1/memory/1792-278-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/1976-288-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/1792-289-0x0000000003BF0000-0x0000000003CD5000-memory.dmp	upx
behavioral1/memory/1792-291-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/1800-301-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/692-303-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2116-311-0x0000000000010000-0x000000000001C000-memory.dmp	upx
behavioral1/memory/2420-314-0x0000000005470000-0x0000000005555000-memory.dmp	upx
behavioral1/memory/2420-315-0x0000000005470000-0x0000000005555000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdn32 = "C:\\Windows\\system32\\msdn32.exe"	xp_dn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File created	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\msdn32.exe	msdn32.exe
File opened for modification	C:\Windows\SysWOW64\xp_dn32.exe	msdn32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2412	3016	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2412	3016	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2412	3016	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2412	3016	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2348	3016	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2348	3016	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2348	3016	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2348	3016	ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2992	2348	msdn32.exe	32
PID 2348 wrote to memory of 2992	2348	msdn32.exe	32
PID 2348 wrote to memory of 2992	2348	msdn32.exe	32
PID 2348 wrote to memory of 2992	2348	msdn32.exe	32
PID 2348 wrote to memory of 2744	2348	msdn32.exe	33
PID 2348 wrote to memory of 2744	2348	msdn32.exe	33
PID 2348 wrote to memory of 2744	2348	msdn32.exe	33
PID 2348 wrote to memory of 2744	2348	msdn32.exe	33
PID 2744 wrote to memory of 2788	2744	msdn32.exe	34
PID 2744 wrote to memory of 2788	2744	msdn32.exe	34
PID 2744 wrote to memory of 2788	2744	msdn32.exe	34
PID 2744 wrote to memory of 2788	2744	msdn32.exe	34
PID 2744 wrote to memory of 2660	2744	msdn32.exe	35
PID 2744 wrote to memory of 2660	2744	msdn32.exe	35
PID 2744 wrote to memory of 2660	2744	msdn32.exe	35
PID 2744 wrote to memory of 2660	2744	msdn32.exe	35
PID 2660 wrote to memory of 2028	2660	msdn32.exe	36
PID 2660 wrote to memory of 2028	2660	msdn32.exe	36
PID 2660 wrote to memory of 2028	2660	msdn32.exe	36
PID 2660 wrote to memory of 2028	2660	msdn32.exe	36
PID 2660 wrote to memory of 2840	2660	msdn32.exe	37
PID 2660 wrote to memory of 2840	2660	msdn32.exe	37
PID 2660 wrote to memory of 2840	2660	msdn32.exe	37
PID 2660 wrote to memory of 2840	2660	msdn32.exe	37
PID 2840 wrote to memory of 2132	2840	msdn32.exe	38
PID 2840 wrote to memory of 2132	2840	msdn32.exe	38
PID 2840 wrote to memory of 2132	2840	msdn32.exe	38
PID 2840 wrote to memory of 2132	2840	msdn32.exe	38
PID 2840 wrote to memory of 1972	2840	msdn32.exe	39
PID 2840 wrote to memory of 1972	2840	msdn32.exe	39
PID 2840 wrote to memory of 1972	2840	msdn32.exe	39
PID 2840 wrote to memory of 1972	2840	msdn32.exe	39
PID 1972 wrote to memory of 1564	1972	msdn32.exe	40
PID 1972 wrote to memory of 1564	1972	msdn32.exe	40
PID 1972 wrote to memory of 1564	1972	msdn32.exe	40
PID 1972 wrote to memory of 1564	1972	msdn32.exe	40
PID 1972 wrote to memory of 1144	1972	msdn32.exe	41
PID 1972 wrote to memory of 1144	1972	msdn32.exe	41
PID 1972 wrote to memory of 1144	1972	msdn32.exe	41
PID 1972 wrote to memory of 1144	1972	msdn32.exe	41
PID 1144 wrote to memory of 2072	1144	msdn32.exe	42
PID 1144 wrote to memory of 2072	1144	msdn32.exe	42
PID 1144 wrote to memory of 2072	1144	msdn32.exe	42
PID 1144 wrote to memory of 2072	1144	msdn32.exe	42
PID 1144 wrote to memory of 2596	1144	msdn32.exe	43
PID 1144 wrote to memory of 2596	1144	msdn32.exe	43
PID 1144 wrote to memory of 2596	1144	msdn32.exe	43
PID 1144 wrote to memory of 2596	1144	msdn32.exe	43
PID 2596 wrote to memory of 1240	2596	msdn32.exe	44
PID 2596 wrote to memory of 1240	2596	msdn32.exe	44
PID 2596 wrote to memory of 1240	2596	msdn32.exe	44
PID 2596 wrote to memory of 1240	2596	msdn32.exe	44
PID 2596 wrote to memory of 2108	2596	msdn32.exe	45
PID 2596 wrote to memory of 2108	2596	msdn32.exe	45
PID 2596 wrote to memory of 2108	2596	msdn32.exe	45
PID 2596 wrote to memory of 2108	2596	msdn32.exe	45

C:\Users\Admin\AppData\Local\Temp\ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ddf5f57e2e4164c5e305b726c2427470_JaffaCakes118.exe"
1⤵
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\xp_dn32.exe
  "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\SysWOW64\msdn32.exe
  "C:\Windows\system32\msdn32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\xp_dn32.exe
    "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2992
- - C:\Windows\SysWOW64\msdn32.exe
    "C:\Windows\system32\msdn32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\xp_dn32.exe
      "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2788
  - - C:\Windows\SysWOW64\msdn32.exe
      "C:\Windows\system32\msdn32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        5⤵
        Executes dropped EXE
        
        PID:2028
    - - C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        6⤵
        Executes dropped EXE
        
        PID:2132
      - C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1564
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        8⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        9⤵
        Executes dropped EXE
        
        PID:1240
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        10⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2056
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        11⤵
        Executes dropped EXE
        
        PID:984
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2152
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        13⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1556
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        15⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2992
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2912
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2816
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        17⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        17⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        18⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        18⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        19⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        19⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        20⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        20⤵
        Executes dropped EXE
        
        PID:692
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        21⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        22⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        23⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        23⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        24⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        24⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        25⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        25⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        26⤵
        Executes dropped EXE
        
        PID:984
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        26⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        27⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        27⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1736
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1028
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        29⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        30⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2984
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        32⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        32⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2184
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        33⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        34⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        35⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        35⤵
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        36⤵
        
        PID:376
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        37⤵
        Adds Run key to start application
        
        PID:2116
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        37⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        38⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        38⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        39⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        39⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        40⤵
        
        PID:440
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        40⤵
        
        PID:396
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        41⤵
        
        PID:936
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        41⤵
        
        PID:920
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        42⤵
        
        PID:336
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        42⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        43⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        43⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        44⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        45⤵
        Adds Run key to start application
        
        PID:1920
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        45⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        46⤵
        Adds Run key to start application
        
        PID:3020
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        46⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        47⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        47⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        48⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        49⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        49⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        50⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        51⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        51⤵
        
        PID:564
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        52⤵
        Adds Run key to start application
        
        PID:2836
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        52⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        53⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        53⤵
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        54⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        54⤵
        Drops file in System32 directory
        
        PID:1228
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        55⤵
        
        PID:844
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        56⤵
        
        PID:780
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        57⤵
        
        PID:532
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        57⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        58⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        58⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        59⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        59⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        60⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        60⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        61⤵
        Adds Run key to start application
        
        PID:2464
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        62⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        63⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        64⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        64⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        65⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        65⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        66⤵
        Adds Run key to start application
        
        PID:2900
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        66⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        67⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        67⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        68⤵
        Adds Run key to start application
        
        PID:2844
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        69⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        69⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        70⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        71⤵
        Adds Run key to start application
        
        PID:564
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        72⤵
        Adds Run key to start application
        
        PID:1996
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        72⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        73⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        73⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        74⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        75⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        75⤵
        
        PID:568
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        76⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        76⤵
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        77⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        77⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        78⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        78⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        79⤵
        
        PID:984
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        79⤵
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        80⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        80⤵
        
        PID:896
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        81⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        81⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        82⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        82⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        83⤵
        Adds Run key to start application
        
        PID:1856
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        83⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        84⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        84⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        85⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        85⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        86⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        87⤵
        Adds Run key to start application
        
        PID:2304
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        87⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        88⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        88⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        89⤵
        
        PID:660
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        90⤵
        
        PID:692
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        90⤵
        
        PID:764
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        91⤵
        Adds Run key to start application
        
        PID:588
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        91⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        92⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        92⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        93⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        93⤵
        
        PID:532
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        94⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        95⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        95⤵
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        96⤵
        
        PID:336
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        96⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        97⤵
        
        PID:984
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        98⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        98⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        99⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        99⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        100⤵
        Adds Run key to start application
        
        PID:308
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        100⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        101⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        102⤵
        Adds Run key to start application
        
        PID:1272
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        102⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        103⤵
        Adds Run key to start application
        
        PID:2936
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        103⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        104⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        104⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        105⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        105⤵
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        106⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        107⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        107⤵
        
        PID:660
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        108⤵
        Adds Run key to start application
        
        PID:1608
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        108⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        109⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        109⤵
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        110⤵
        Adds Run key to start application
        
        PID:764
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        110⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        111⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        112⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        112⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        113⤵
        Adds Run key to start application
        
        PID:532
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        113⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        114⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        115⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        115⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        116⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        116⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        117⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        117⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        118⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        118⤵
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        119⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        120⤵
        Adds Run key to start application
        
        PID:1848
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        120⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        121⤵
        Adds Run key to start application
        
        PID:2716
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        121⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        122⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        122⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        123⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        123⤵
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        124⤵
        Adds Run key to start application
        
        PID:2772
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        124⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        125⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        125⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        126⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        127⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        128⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        128⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        129⤵
        Adds Run key to start application
        
        PID:1280
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        129⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        130⤵
        Adds Run key to start application
        
        PID:1944
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        130⤵
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        131⤵
        Adds Run key to start application
        
        PID:1656
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        132⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        133⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        133⤵
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        134⤵
        
        PID:920
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        134⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        135⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        135⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        136⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        136⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        137⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        138⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        138⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        139⤵
        Adds Run key to start application
        
        PID:2908
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        139⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        140⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        140⤵
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        141⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        142⤵
        Adds Run key to start application
        
        PID:2008
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        142⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        143⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        144⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        144⤵
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        145⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        145⤵
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        146⤵
        
        PID:576
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        146⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        147⤵
        
        PID:532
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        147⤵
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        148⤵
        Adds Run key to start application
        
        PID:1124
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        149⤵
        Adds Run key to start application
        
        PID:984
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        149⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        150⤵
        Adds Run key to start application
        
        PID:700
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        150⤵
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        151⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        151⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        152⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        152⤵
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        153⤵
        
        PID:992
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        153⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        154⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        155⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        155⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        156⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        156⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        157⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        157⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        158⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        158⤵
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        159⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        159⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        160⤵
        Adds Run key to start application
        
        PID:1880
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        160⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        161⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        162⤵
        
        PID:844
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        163⤵
        Adds Run key to start application
        
        PID:952
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        163⤵
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        164⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        164⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        165⤵
        
        PID:760
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        165⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        166⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        167⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        167⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        168⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        168⤵
        
        PID:316
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        169⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        169⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        170⤵
        Adds Run key to start application
        
        PID:2796
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        170⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        171⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        171⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        172⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        172⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        173⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        173⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        174⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        174⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        175⤵
        Adds Run key to start application
        
        PID:2772
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        176⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        176⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        177⤵
        Adds Run key to start application
        
        PID:352
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        177⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        178⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        179⤵
        Adds Run key to start application
        
        PID:2460
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        180⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        180⤵
        
        PID:576
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        181⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        181⤵
        
        PID:816
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        182⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        182⤵
        Drops file in System32 directory
        
        PID:784
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        183⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        183⤵
        
        PID:268
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        184⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        185⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        185⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        186⤵
        
        PID:880
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        186⤵
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        187⤵
        Adds Run key to start application
        
        PID:1640
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        187⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        188⤵
        Adds Run key to start application
        
        PID:1672
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        188⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        189⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        189⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        190⤵
        
        PID:688
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        190⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        191⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        191⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        192⤵
        Adds Run key to start application
        
        PID:2928
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        192⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        193⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        193⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        194⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        195⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        195⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        196⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        196⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        197⤵
        
        PID:836
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        197⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        198⤵
        Adds Run key to start application
        
        PID:1504
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        198⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        199⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        199⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        200⤵
        
        PID:984
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        200⤵
        
        PID:784
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        201⤵
        Adds Run key to start application
        
        PID:2312
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        201⤵
        
        PID:268
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        202⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        202⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        203⤵
        Adds Run key to start application
        
        PID:2360
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        204⤵
        Adds Run key to start application
        
        PID:2060
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        205⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        205⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        206⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        206⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        207⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        207⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        208⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        208⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        209⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        209⤵
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        210⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        211⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        212⤵
        Adds Run key to start application
        
        PID:2600
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        212⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        213⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        213⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        214⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        214⤵
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        215⤵
        Adds Run key to start application
        
        PID:2212
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        215⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        216⤵
        
        PID:276
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        216⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        217⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        217⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        218⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        218⤵
        
        PID:784
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        219⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        219⤵
        
        PID:268
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        220⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        220⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        221⤵
        
        PID:700
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        222⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        222⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        223⤵
        Adds Run key to start application
        
        PID:2980
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        223⤵
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        224⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        224⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        225⤵
        Adds Run key to start application
        
        PID:2396
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        225⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        226⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        226⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        227⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        228⤵
        Adds Run key to start application
        
        PID:2836
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        228⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        229⤵
        Adds Run key to start application
        
        PID:2964
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        230⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        230⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        231⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        231⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        232⤵
        Adds Run key to start application
        
        PID:3004
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        232⤵
        
        PID:968
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        233⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        233⤵
        
        PID:760
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        234⤵
        Adds Run key to start application
        
        PID:936
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        234⤵
        
        PID:984
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        235⤵
        
        PID:916
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        235⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        236⤵
        
        PID:800
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        237⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        237⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        238⤵
        Adds Run key to start application
        
        PID:1640
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        238⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        239⤵
        Adds Run key to start application
        
        PID:2556
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        239⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        240⤵
        Adds Run key to start application
        
        PID:2880
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        240⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        241⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        242⤵
        Adds Run key to start application
        
        PID:2816
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        242⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        243⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        243⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        244⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        244⤵
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        245⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        245⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        246⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        246⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        247⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        247⤵
        
        PID:264
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        248⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        248⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        249⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        249⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        250⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        250⤵
        
        PID:968
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        251⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        251⤵
        
        PID:760
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        252⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        252⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        253⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        253⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        254⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        254⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        255⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        255⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        256⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        256⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        257⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        257⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        258⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        258⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        259⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        259⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        260⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        260⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        261⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        261⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        262⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        262⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        263⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        263⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        264⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        264⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        265⤵
        
        PID:952
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        265⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        266⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        266⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        267⤵
        
        PID:608
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        267⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        268⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        268⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        269⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        269⤵
        
        PID:760
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        270⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        270⤵
        
        PID:916
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        271⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        271⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        272⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        272⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        273⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        273⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        274⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        274⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        275⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        275⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        276⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        276⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        277⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        277⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        278⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        278⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        279⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        279⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        280⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        280⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        281⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        281⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        282⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        282⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        283⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        283⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        284⤵
        
        PID:276
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        284⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        285⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        285⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        286⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        286⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        287⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        287⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        288⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        288⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        289⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        289⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        290⤵
        
        PID:916
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        290⤵
        
        PID:784
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        291⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        291⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        292⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        292⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        293⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        293⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        294⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        294⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        295⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        295⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        296⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        296⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        297⤵
        
        PID:564
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        297⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        298⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        298⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        299⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        299⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        300⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        300⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        301⤵
        
        PID:952
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        301⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        302⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        302⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        303⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        303⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        304⤵
        
        PID:576
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        304⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        305⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        305⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        306⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        306⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        307⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        307⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        308⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        308⤵
        
        PID:896
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        309⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        309⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        310⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        310⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        311⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        311⤵
        
        PID:688
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        312⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        312⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        313⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        313⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        314⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        314⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        315⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        315⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        316⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        316⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        317⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        317⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        318⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        318⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        319⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        319⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        320⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        320⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        321⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        321⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        322⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        322⤵
        
        PID:936
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        323⤵
        
        PID:820
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        323⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        324⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        324⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        325⤵
        
        PID:532
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        325⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        326⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        326⤵
        
        PID:888
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        327⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        327⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        328⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        328⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        329⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        329⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        330⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        330⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        331⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        331⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        332⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        332⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        333⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        333⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        334⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        334⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        335⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        335⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        336⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        336⤵
        
        PID:592
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        337⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        337⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        338⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        338⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        339⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        339⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        340⤵
        
        PID:568
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        340⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        341⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        341⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        342⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        342⤵
        
        PID:936
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        343⤵
        
        PID:396
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        343⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        344⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        344⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        345⤵
        
        PID:308
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        345⤵
        
        PID:992
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        346⤵
        
        PID:268
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        346⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        347⤵
        
        PID:896
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        347⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        348⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        348⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        349⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        349⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        350⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        350⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        351⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        351⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        352⤵
        
        PID:672
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        352⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        353⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        353⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        354⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        354⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        355⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        355⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        356⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        356⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        357⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        357⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        358⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        358⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        359⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        359⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        360⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        360⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        361⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        361⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        362⤵
        
        PID:816
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        362⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        363⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        363⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        364⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        364⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        365⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        365⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        366⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        366⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        367⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        367⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        368⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        368⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        369⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        369⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        370⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        370⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        371⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        371⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        372⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        372⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        373⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        373⤵
        
        PID:636
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        374⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        374⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        375⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        375⤵
        
        PID:844
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        376⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        376⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        377⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        377⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        378⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        378⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        379⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        379⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        380⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        380⤵
        
        PID:996
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        381⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        381⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        382⤵
        
        PID:760
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        382⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        383⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        383⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        384⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        384⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        385⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        385⤵
        
        PID:992
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        386⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        386⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        387⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        387⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        388⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        388⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        389⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        389⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        390⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        390⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        391⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        391⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        392⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        392⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        393⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        393⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        394⤵
        
        PID:592
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        394⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        395⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        395⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        396⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        396⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        397⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        397⤵
        
        PID:568
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        398⤵
        
        PID:820
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        398⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        399⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        399⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        400⤵
        
        PID:836
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        400⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        401⤵
        
        PID:532
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        401⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        402⤵
        
        PID:308
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        402⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        403⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        403⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        404⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        404⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        405⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        405⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        406⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        406⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        407⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        407⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        408⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        408⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        409⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        409⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        410⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        410⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        411⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        411⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        412⤵
        
        PID:692
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        412⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        413⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        413⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        414⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        414⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        415⤵
        
        PID:276
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        415⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        416⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        416⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        417⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        417⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        418⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        418⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        419⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        419⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        420⤵
        
        PID:396
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        420⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        421⤵
        
        PID:984
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        421⤵
        
        PID:916
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        422⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        422⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        423⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        423⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        424⤵
        
        PID:964
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        424⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        425⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        425⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        426⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        426⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        427⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        427⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        428⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        428⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        429⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        429⤵
        
        PID:564
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        430⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        430⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        431⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        431⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        432⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        432⤵
        
        PID:592
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        433⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        433⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        434⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        434⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        435⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        435⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        436⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        436⤵
        
        PID:820
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        437⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        437⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        438⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        438⤵
        
        PID:836
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        439⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        439⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        440⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        440⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        441⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        441⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        442⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        442⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        443⤵
        
        PID:964
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        443⤵
        
        PID:932
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        444⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        444⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        445⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        445⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        446⤵
        
        PID:556
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        446⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        447⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        447⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        448⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        448⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        449⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        449⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        450⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        450⤵
        
        PID:692
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        451⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        451⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        452⤵
        
        PID:952
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        452⤵
        
        PID:660
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        453⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        453⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        454⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        454⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        455⤵
        
        PID:568
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        455⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        456⤵
        
        PID:800
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        456⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        457⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        457⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        458⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        458⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        459⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        459⤵
        
        PID:308
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        460⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        460⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        461⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        461⤵
        
        PID:916
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        462⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        462⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        463⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        463⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        464⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        464⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        465⤵
        
        PID:376
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        465⤵
        
        PID:888
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        466⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        466⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        467⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        467⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        468⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        468⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        469⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        469⤵
        
        PID:352
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        470⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        470⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        471⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        471⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        472⤵
        
        PID:844
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        472⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        473⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        473⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        474⤵
        
        PID:568
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        474⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        475⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        475⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        476⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        476⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        477⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        477⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        478⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        478⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        479⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        479⤵
        
        PID:268
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        480⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        480⤵
        
        PID:908
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        481⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        481⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        482⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        482⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        483⤵
        
        PID:688
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        483⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        484⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        484⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        485⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        485⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        486⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        486⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        487⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        487⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        488⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        488⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        489⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        489⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        490⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\msdn32.exe
        
        "C:\Windows\system32\msdn32.exe"
        490⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\xp_dn32.exe
        
        "C:\Windows\System32\xp_dn32.exe" C:\Windows\system32\msdn32.exe msdn32 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        491⤵
        
        PID:2524

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msdn32.exe

Filesize
304KB

MD5
ddf5f57e2e4164c5e305b726c2427470

SHA1
2b60fc3776c17305a78f4d442cfbd6d673872dd8

SHA256
9cadd4db012a3ece0d1de8e2ef1b329ca18e46566404c2126a9407e5d94fe194

SHA512
88b795de0e4d1bc877244456ce9c14f7fb79c646a01efb6874a76d933ae2d97704fff8fe769a551f51973cc630238d0b9c2c458fbc74535b74e3301c1754ddd1

Download Submit
\Windows\SysWOW64\xp_dn32.exe

Filesize
4KB

MD5
c027e6dbcda2fd686e2f1230dd6af58d

SHA1
3755dba704bf8b5d7a3365789e3e5f4c4634aae2

SHA256
d8eed24f0e3afd63aa132556f6f8072c73acaaabf3cae0caadf6dd1f3ada9876

SHA512
bd198021bbffe32e6e50d5cc12a3430d014ed3b14ab3e62c1cee1a56b596d60425039b45e244b90bd6aa77a5cf6d6fe44ad20f8b8f0fb9b814ef22f917fc7136

Download Submit
memory/112-206-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/112-216-0x0000000002170000-0x000000000217C000-memory.dmp

Filesize
48KB

Download
memory/112-215-0x0000000002170000-0x000000000217C000-memory.dmp

Filesize
48KB

Download
memory/112-218-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/556-274-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/692-303-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/692-299-0x00000000036B0000-0x00000000036BC000-memory.dmp

Filesize
48KB

Download
memory/692-298-0x00000000036B0000-0x00000000036BC000-memory.dmp

Filesize
48KB

Download
memory/984-175-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/1048-275-0x0000000003DB0000-0x0000000003E95000-memory.dmp

Filesize
916KB

Download
memory/1048-276-0x0000000003DB0000-0x0000000003E95000-memory.dmp

Filesize
916KB

Download
memory/1048-272-0x0000000002040000-0x000000000204C000-memory.dmp

Filesize
48KB

Download
memory/1048-279-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1144-128-0x0000000003CE0000-0x0000000003DC5000-memory.dmp

Filesize
916KB

Download
memory/1144-131-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1144-124-0x00000000036B0000-0x00000000036BC000-memory.dmp

Filesize
48KB

Download
memory/1144-110-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1240-144-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/1556-214-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/1564-105-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/1568-187-0x0000000002080000-0x000000000208C000-memory.dmp

Filesize
48KB

Download
memory/1568-186-0x0000000002080000-0x000000000208C000-memory.dmp

Filesize
48KB

Download
memory/1568-192-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1568-191-0x0000000003DC0000-0x0000000003EA5000-memory.dmp

Filesize
916KB

Download
memory/1568-177-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1792-291-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1792-278-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1792-286-0x0000000003570000-0x000000000357C000-memory.dmp

Filesize
48KB

Download
memory/1792-289-0x0000000003BF0000-0x0000000003CD5000-memory.dmp

Filesize
916KB

Download
memory/1800-301-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/1836-226-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/1852-162-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/1956-265-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1956-263-0x0000000003C20000-0x0000000003D05000-memory.dmp

Filesize
916KB

Download
memory/1972-111-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1972-102-0x0000000001E80000-0x0000000001E8C000-memory.dmp

Filesize
48KB

Download
memory/1976-288-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/1992-262-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2028-68-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2056-173-0x00000000032C0000-0x00000000032CC000-memory.dmp

Filesize
48KB

Download
memory/2056-176-0x0000000003DC0000-0x0000000003EA5000-memory.dmp

Filesize
916KB

Download
memory/2056-179-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2072-123-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2108-150-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2108-166-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2108-163-0x00000000031C0000-0x00000000031CC000-memory.dmp

Filesize
48KB

Download
memory/2108-165-0x0000000003D00000-0x0000000003DE5000-memory.dmp

Filesize
916KB

Download
memory/2116-311-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2132-86-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2152-189-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2184-449-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2252-228-0x0000000001EC0000-0x0000000001ECC000-memory.dmp

Filesize
48KB

Download
memory/2252-227-0x0000000001EC0000-0x0000000001ECC000-memory.dmp

Filesize
48KB

Download
memory/2252-230-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2348-42-0x0000000003F20000-0x0000000004005000-memory.dmp

Filesize
916KB

Download
memory/2348-27-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2348-44-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2348-35-0x0000000002070000-0x000000000207C000-memory.dmp

Filesize
48KB

Download
memory/2412-15-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2412-17-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2420-312-0x00000000036B0000-0x00000000036BC000-memory.dmp

Filesize
48KB

Download
memory/2420-313-0x00000000036B0000-0x00000000036BC000-memory.dmp

Filesize
48KB

Download
memory/2420-314-0x0000000005470000-0x0000000005555000-memory.dmp

Filesize
916KB

Download
memory/2420-315-0x0000000005470000-0x0000000005555000-memory.dmp

Filesize
916KB

Download
memory/2440-201-0x0000000002070000-0x000000000207C000-memory.dmp

Filesize
48KB

Download
memory/2440-204-0x0000000003C90000-0x0000000003D75000-memory.dmp

Filesize
916KB

Download
memory/2440-203-0x0000000003C90000-0x0000000003D75000-memory.dmp

Filesize
916KB

Download
memory/2440-205-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2596-149-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2596-141-0x00000000036B0000-0x00000000036BC000-memory.dmp

Filesize
48KB

Download
memory/2596-129-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2660-73-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2660-65-0x0000000003570000-0x000000000357C000-memory.dmp

Filesize
48KB

Download
memory/2660-54-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2744-47-0x0000000003230000-0x000000000323C000-memory.dmp

Filesize
48KB

Download
memory/2744-56-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2788-251-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2788-50-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2816-249-0x0000000002130000-0x000000000213C000-memory.dmp

Filesize
48KB

Download
memory/2816-252-0x0000000003DB0000-0x0000000003E95000-memory.dmp

Filesize
916KB

Download
memory/2816-254-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2840-92-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2840-83-0x0000000003570000-0x000000000357C000-memory.dmp

Filesize
48KB

Download
memory/2840-89-0x0000000003BE0000-0x0000000003CC5000-memory.dmp

Filesize
916KB

Download
memory/2912-239-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2992-240-0x0000000003E00000-0x0000000003EE5000-memory.dmp

Filesize
916KB

Download
memory/2992-237-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2992-242-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2992-38-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/3016-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3016-29-0x0000000003E40000-0x0000000003F25000-memory.dmp

Filesize
916KB

Download
memory/3016-32-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3016-26-0x0000000003E40000-0x0000000003F25000-memory.dmp

Filesize
916KB

Download
memory/3016-12-0x00000000020F0000-0x00000000020FC000-memory.dmp

Filesize
48KB

Download
memory/3016-13-0x00000000020F0000-0x00000000020FC000-memory.dmp

Filesize
48KB

Download
memory/3016-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3032-200-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads