ardamax | a4edc06ab982e63b074889528e177a043143a994aac4335e1582991e141561a6

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2025, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe
Size

2.4MB
MD5

c0177e9cf4abe6b2007ae61f9a17b78b
SHA1

fab60ea62692fdd7648f3c17504c03303789b301
SHA256

a4edc06ab982e63b074889528e177a043143a994aac4335e1582991e141561a6
SHA512

f9cf21c5a7ec5acef2b490fc848b14e2a66deb04305b28a05bf3f71d7569de61e6002d91a7baea95c10d62c6f4979fccc6faf67a8cab6ef28dfc43ab46ac7f03
SSDEEP

49152:3RXx+3aN1JfK8wDjO7r8SILAwan+xHqysyDBSnKZHWW9oUFOQJCDMuR:3RY6JfK8QjO7r8SILAwan+xKysyDBSnd

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000002421f-66.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Project1 [email protected]

Executes dropped EXE 64 IoCs

pid	Process
5472	msnmsgr.exe
4708	msnmsgr.exe
1920	msnmsgr.exe
3768	Project1 [email protected]
916	msnmsgr.exe
1616	FXOV.exe
3156	Project1.exe
436	msnmsgr.exe
3828	msnmsgr.exe
6076	msnmsgr.exe
3524	msnmsgr.exe
1600	msnmsgr.exe
3656	FXOV.exe
644	msnmsgr.exe
3028	msnmsgr.exe
5016	msnmsgr.exe
4744	msnmsgr.exe
5944	msnmsgr.exe
3332	msnmsgr.exe
956	msnmsgr.exe
4052	msnmsgr.exe
2320	msnmsgr.exe
4912	msnmsgr.exe
4020	msnmsgr.exe
1572	msnmsgr.exe
3224	msnmsgr.exe
4840	msnmsgr.exe
5956	msnmsgr.exe
3676	msnmsgr.exe
5536	msnmsgr.exe
1772	msnmsgr.exe
968	msnmsgr.exe
2968	msnmsgr.exe
4608	msnmsgr.exe
1796	msnmsgr.exe
5368	msnmsgr.exe
8	msnmsgr.exe
3888	msnmsgr.exe
1712	msnmsgr.exe
5280	msnmsgr.exe
3840	msnmsgr.exe
3768	msnmsgr.exe
636	msnmsgr.exe
6248	msnmsgr.exe
6408	msnmsgr.exe
6564	msnmsgr.exe
6736	msnmsgr.exe
6912	msnmsgr.exe
7072	msnmsgr.exe
2492	msnmsgr.exe
6528	msnmsgr.exe
6756	msnmsgr.exe
6964	msnmsgr.exe
6340	msnmsgr.exe
6752	msnmsgr.exe
1052	msnmsgr.exe
6332	msnmsgr.exe
6432	msnmsgr.exe
6304	msnmsgr.exe
7220	msnmsgr.exe
7372	msnmsgr.exe
7536	msnmsgr.exe
7744	msnmsgr.exe
7916	msnmsgr.exe

Loads dropped DLL 64 IoCs

pid	Process
5472	msnmsgr.exe
5472	msnmsgr.exe
5472	msnmsgr.exe
5472	msnmsgr.exe
4708	msnmsgr.exe
4708	msnmsgr.exe
4708	msnmsgr.exe
4708	msnmsgr.exe
1920	msnmsgr.exe
1920	msnmsgr.exe
3768	Project1 [email protected]
1920	msnmsgr.exe
1920	msnmsgr.exe
916	msnmsgr.exe
916	msnmsgr.exe
916	msnmsgr.exe
916	msnmsgr.exe
3156	Project1.exe
3156	Project1.exe
436	msnmsgr.exe
436	msnmsgr.exe
436	msnmsgr.exe
436	msnmsgr.exe
3828	msnmsgr.exe
3828	msnmsgr.exe
3828	msnmsgr.exe
3828	msnmsgr.exe
6076	msnmsgr.exe
6076	msnmsgr.exe
6076	msnmsgr.exe
6076	msnmsgr.exe
3524	msnmsgr.exe
3524	msnmsgr.exe
3524	msnmsgr.exe
3524	msnmsgr.exe
1600	msnmsgr.exe
1600	msnmsgr.exe
1616	FXOV.exe
1616	FXOV.exe
1616	FXOV.exe
1616	FXOV.exe
1616	FXOV.exe
3656	FXOV.exe
3656	FXOV.exe
3656	FXOV.exe
1600	msnmsgr.exe
1600	msnmsgr.exe
644	msnmsgr.exe
644	msnmsgr.exe
644	msnmsgr.exe
644	msnmsgr.exe
644	msnmsgr.exe
644	msnmsgr.exe
644	msnmsgr.exe
644	msnmsgr.exe
3028	msnmsgr.exe
3028	msnmsgr.exe
3028	msnmsgr.exe
3028	msnmsgr.exe
3028	msnmsgr.exe
3028	msnmsgr.exe
3156	Project1.exe
3156	Project1.exe
3156	Project1.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\28463\FXOV.001	Project1 [email protected]
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Project1 [email protected]
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File opened for modification	C:\Windows\SysWOW64\28463	FXOV.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\Version	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\VersionIndependentProgID	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\ = "Nofac class"	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\InprocServer32	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}\1.0	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}\1.0\0\win32\ = "%ProgramFiles(x86)%\\Windows Media Player\\wmprph.exe"	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\TypeLib\ = "{19113A3B-A8F3-2D15-428C-B2414B54F582}"	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\VersionIndependentProgID\ = "RACplDlg.RASettingProperty"	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}\1.0\ = "WMPRichPreviewLauncher 1.0 Type Library"	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}\1.0\0	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}\1.0\FLAGS	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\TypeLib\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}\1.0\FLAGS\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\Version\ = "1.0"	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\InprocServer32\ = "C:\\Windows\\SysWOW64\\RACPLDlg.dll"	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}\1.0\0\win32	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\Version\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\ProgID\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\ProgID\ = "RACplDlg.RASettingProperty.1"	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}\1.0\	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\TypeLib	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}\1.0\FLAGS\ = "0"	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\InprocServer32\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}\1.0\0\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19113A3B-A8F3-2D15-428C-B2414B54F582}\1.0\0\win32\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\VersionIndependentProgID\	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DADAFBB-8B56-4878-83A3-4CBE279BEA65}\ProgID	FXOV.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2612	reg.exe
5880	reg.exe
6640	reg.exe
7636	reg.exe
9608	reg.exe
9764	reg.exe
5032	reg.exe
5556	reg.exe
7672	reg.exe
10000	reg.exe
1812	reg.exe
12436	reg.exe
11836	reg.exe
12624	reg.exe
10908	reg.exe
10676	reg.exe
12616	reg.exe
12820	reg.exe
12916	reg.exe
13648	reg.exe
4844	reg.exe
1052	reg.exe
4536	reg.exe
11428	reg.exe
12940	reg.exe
2252	reg.exe
3768	reg.exe
8508	reg.exe
9924	reg.exe
9236	reg.exe
216	reg.exe
14128	reg.exe
2624	reg.exe
1896	reg.exe
10380	reg.exe
10528	reg.exe
3312	reg.exe
12096	reg.exe
4664	reg.exe
552	reg.exe
6788	reg.exe
7008	reg.exe
7052	reg.exe
9404	reg.exe
11252	reg.exe
12272	reg.exe
4436	reg.exe
10244	reg.exe
10892	reg.exe
1856	reg.exe
13812	reg.exe
5812	reg.exe
4384	reg.exe
6336	reg.exe
7008	reg.exe
9076	reg.exe
8780	reg.exe
10740	reg.exe
10248	reg.exe
4864	reg.exe
6160	reg.exe
6496	reg.exe
13232	reg.exe
13472	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5472	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4708	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	1920	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	916	msnmsgr.exe
Token: SeDebugPrivilege	3156	Project1.exe
Token: SeIncBasePriorityPrivilege	436	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3828	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6076	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3524	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	1600	msnmsgr.exe
Token: 33	1616	FXOV.exe
Token: SeIncBasePriorityPrivilege	1616	FXOV.exe
Token: SeIncBasePriorityPrivilege	644	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3028	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5016	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4744	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5944	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3332	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	956	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4052	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	2320	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4912	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4020	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	1572	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3224	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4840	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5956	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3676	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5536	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	1772	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	968	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	2968	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4608	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	1796	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5368	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	8	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3888	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	1712	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5280	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3840	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3768	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	636	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6248	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6408	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6564	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6736	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6912	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	7072	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	2492	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6528	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6756	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6964	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6340	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6752	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	1052	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6332	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6432	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6304	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	7220	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	7372	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	7536	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	7744	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	7916	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	8100	msnmsgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5472	msnmsgr.exe
4708	msnmsgr.exe
1920	msnmsgr.exe
916	msnmsgr.exe
436	msnmsgr.exe
3828	msnmsgr.exe
6076	msnmsgr.exe
3524	msnmsgr.exe
1616	FXOV.exe
1616	FXOV.exe
1616	FXOV.exe
1616	FXOV.exe
1616	FXOV.exe
1600	msnmsgr.exe
644	msnmsgr.exe
3028	msnmsgr.exe
5016	msnmsgr.exe
4744	msnmsgr.exe
5944	msnmsgr.exe
3332	msnmsgr.exe
956	msnmsgr.exe
4052	msnmsgr.exe
2320	msnmsgr.exe
4912	msnmsgr.exe
4020	msnmsgr.exe
1572	msnmsgr.exe
3224	msnmsgr.exe
4840	msnmsgr.exe
5956	msnmsgr.exe
3676	msnmsgr.exe
5536	msnmsgr.exe
1772	msnmsgr.exe
968	msnmsgr.exe
2968	msnmsgr.exe
4608	msnmsgr.exe
1796	msnmsgr.exe
5368	msnmsgr.exe
8	msnmsgr.exe
3888	msnmsgr.exe
1712	msnmsgr.exe
5280	msnmsgr.exe
3840	msnmsgr.exe
3768	msnmsgr.exe
636	msnmsgr.exe
6248	msnmsgr.exe
6408	msnmsgr.exe
6564	msnmsgr.exe
6736	msnmsgr.exe
6912	msnmsgr.exe
7072	msnmsgr.exe
2492	msnmsgr.exe
6528	msnmsgr.exe
6756	msnmsgr.exe
6964	msnmsgr.exe
6340	msnmsgr.exe
6752	msnmsgr.exe
1052	msnmsgr.exe
6332	msnmsgr.exe
6432	msnmsgr.exe
6304	msnmsgr.exe
7220	msnmsgr.exe
7372	msnmsgr.exe
7536	msnmsgr.exe
7744	msnmsgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 5472	2188	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe	95
PID 2188 wrote to memory of 5472	2188	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe	95
PID 2188 wrote to memory of 5472	2188	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe	95
PID 5472 wrote to memory of 2932	5472	msnmsgr.exe	96
PID 5472 wrote to memory of 2932	5472	msnmsgr.exe	96
PID 5472 wrote to memory of 2932	5472	msnmsgr.exe	96
PID 2932 wrote to memory of 8	2932	cmd.exe	98
PID 2932 wrote to memory of 8	2932	cmd.exe	98
PID 2932 wrote to memory of 8	2932	cmd.exe	98
PID 8 wrote to memory of 5812	8	cmd.exe	99
PID 8 wrote to memory of 5812	8	cmd.exe	99
PID 8 wrote to memory of 5812	8	cmd.exe	99
PID 980 wrote to memory of 4708	980	cmd.exe	102
PID 980 wrote to memory of 4708	980	cmd.exe	102
PID 980 wrote to memory of 4708	980	cmd.exe	102
PID 4708 wrote to memory of 4644	4708	msnmsgr.exe	103
PID 4708 wrote to memory of 4644	4708	msnmsgr.exe	103
PID 4708 wrote to memory of 4644	4708	msnmsgr.exe	103
PID 4644 wrote to memory of 4704	4644	cmd.exe	105
PID 4644 wrote to memory of 4704	4644	cmd.exe	105
PID 4644 wrote to memory of 4704	4644	cmd.exe	105
PID 4704 wrote to memory of 4844	4704	cmd.exe	106
PID 4704 wrote to memory of 4844	4704	cmd.exe	106
PID 4704 wrote to memory of 4844	4704	cmd.exe	106
PID 4876 wrote to memory of 1920	4876	cmd.exe	109
PID 4876 wrote to memory of 1920	4876	cmd.exe	109
PID 4876 wrote to memory of 1920	4876	cmd.exe	109
PID 2188 wrote to memory of 3768	2188	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe	110
PID 2188 wrote to memory of 3768	2188	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe	110
PID 2188 wrote to memory of 3768	2188	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe	110
PID 1920 wrote to memory of 1888	1920	msnmsgr.exe	111
PID 1920 wrote to memory of 1888	1920	msnmsgr.exe	111
PID 1920 wrote to memory of 1888	1920	msnmsgr.exe	111
PID 1888 wrote to memory of 1220	1888	cmd.exe	113
PID 1888 wrote to memory of 1220	1888	cmd.exe	113
PID 1888 wrote to memory of 1220	1888	cmd.exe	113
PID 1220 wrote to memory of 5964	1220	cmd.exe	114
PID 1220 wrote to memory of 5964	1220	cmd.exe	114
PID 1220 wrote to memory of 5964	1220	cmd.exe	114
PID 3004 wrote to memory of 916	3004	cmd.exe	117
PID 3004 wrote to memory of 916	3004	cmd.exe	117
PID 3004 wrote to memory of 916	3004	cmd.exe	117
PID 3768 wrote to memory of 1616	3768	Project1 [email protected]	118
PID 3768 wrote to memory of 1616	3768	Project1 [email protected]	118
PID 3768 wrote to memory of 1616	3768	Project1 [email protected]	118
PID 916 wrote to memory of 4248	916	msnmsgr.exe	119
PID 916 wrote to memory of 4248	916	msnmsgr.exe	119
PID 916 wrote to memory of 4248	916	msnmsgr.exe	119
PID 3768 wrote to memory of 3156	3768	Project1 [email protected]	121
PID 3768 wrote to memory of 3156	3768	Project1 [email protected]	121
PID 3768 wrote to memory of 3156	3768	Project1 [email protected]	121
PID 4248 wrote to memory of 464	4248	cmd.exe	122
PID 4248 wrote to memory of 464	4248	cmd.exe	122
PID 4248 wrote to memory of 464	4248	cmd.exe	122
PID 464 wrote to memory of 3476	464	cmd.exe	124
PID 464 wrote to memory of 3476	464	cmd.exe	124
PID 464 wrote to memory of 3476	464	cmd.exe	124
PID 4352 wrote to memory of 436	4352	cmd.exe	127
PID 4352 wrote to memory of 436	4352	cmd.exe	127
PID 4352 wrote to memory of 436	4352	cmd.exe	127
PID 436 wrote to memory of 1032	436	msnmsgr.exe	128
PID 436 wrote to memory of 1032	436	msnmsgr.exe	128
PID 436 wrote to memory of 1032	436	msnmsgr.exe	128
PID 1032 wrote to memory of 6108	1032	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:5812
- C:\Users\Admin\AppData\Roaming\Project1 [email protected]
  "C:\Users\Admin\AppData\Roaming\Project1 [email protected]"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\28463\FXOV.exe
    "C:\Windows\system32\28463\FXOV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\Project1.exe
    "C:\Users\Admin\AppData\Local\Temp\Project1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:980
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6108
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:780
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4400
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:1472
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4344
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:680
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:448
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5048
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3572
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:432
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2152
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\28463\FXOV.exe
1⤵
PID:220
- C:\Windows\SysWOW64\28463\FXOV.exe
  C:\Windows\SysWOW64\28463\FXOV.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:2028
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:1084
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3716
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:1632
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4500
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4332
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:1208
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4716
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3420
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5128
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6140
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:2440
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5492
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3768
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3476
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5888
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:1192
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2252
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:624
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4024
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1652
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5584
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:680
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5764
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:400
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1408
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3648
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3732
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:1940
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5596
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4300
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4668
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3440
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4792
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5964
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3888
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:696
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5148
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5480
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:2864
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4400
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:1652
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:368
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4344
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2032
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3140
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3648
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3988
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4948
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:1872
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:1964
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5136
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:464
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:1320
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2492
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3584
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5396
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5048
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4364
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4948
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1940
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5952
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5280
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:2936
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2136
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:2376
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:1888
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:1504
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5880
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:2548
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2136
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5864
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2024
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2140
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4196
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5848
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5396
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3988
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6148
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:6160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6184
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6324
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:6336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6360
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6436
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6480
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:6496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6516
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6592
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6640
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6676
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:6828
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6864
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6992
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:7008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7024
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:7072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7100
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7156
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6168
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6328
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6308
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6500
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6444
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6660
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:6640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6616
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6856
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6808
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6960
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7164
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7140
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:7100
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6388
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6284
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6592
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6640
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6816
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:6788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6824
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7116
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:6280
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6452
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6892
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6812
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7012
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:7008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6788
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6948
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:7052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6828
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:7220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7248
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7292
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7324
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:7372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7452
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7484
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:7536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7628
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7684
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:7744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7828
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:7840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7864
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8004
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8036
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:8100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8172
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7136
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6948
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7292
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:7272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7256
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7432
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7580
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:7636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4836
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7784
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:7812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7944
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8116
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7052
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:7400
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7640

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:8128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6088
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7588
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7812
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7876
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4404
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:1976
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7736
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7424
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:7836
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7840
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:7588
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8064
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7464
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8120
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:7672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8064
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7336
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7280
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7308
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:8232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8312
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8344
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8420
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8464
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8496
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8588
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8640
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8672
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:8720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8800
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8832
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8960
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8992
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9116
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9148
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4080
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8276
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8484
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8420
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8664
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8628
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8744
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8984
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8968
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9184
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:9076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8120
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:7252
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:7816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8380
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8412
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8268
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:8620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8952
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8976
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9088
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7724
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:8508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8484
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:8476
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9004
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8980
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8820
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9100
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:8296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8636
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8748
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4660
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9096
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:8780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9184
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3504
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9236
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:9256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9272
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9348
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9392
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:9404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9424
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:9484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9516
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:9592
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:9608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9624
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9788
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9908
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:9924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9952
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10044
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10088
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10128
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10208
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9256
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:9236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8460
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:8648
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:9336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9380
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:9436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9512
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:9584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9780
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:9764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9744
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9872
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:10000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10032
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5980
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5512
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5372
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9416
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9392
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9436
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:9380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9396
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:9412
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9756
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9764
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2664
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9924
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:9980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4860
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:216
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10212
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9376
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3832
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6064
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:1988
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6068
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5000
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9356
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9444
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10156
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:9912
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9284
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9800
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:9752
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:1316
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9904
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4380
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5404
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:10244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10264
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10392
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:10404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10436
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10556
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:10580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10600
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10728
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:10740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10760
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10896
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:10908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10928
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11064
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:11076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11108
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11184
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11236
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:11252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10244
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10360
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10344
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10348
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5220
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10548
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:10556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10636
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:10676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10740
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10900
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:10892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10844
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11204
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:10248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11240
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:11236
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:920
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:10380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10524
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:5496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10540
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:10528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10712
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:10860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10920
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11052
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:11252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11172
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:11204
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10340
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10420
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10772
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:5148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6016
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:11020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11252
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10584
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5788
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:11048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10940
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10404
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4668
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:5124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3312
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:11008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4364
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5556
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10384
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11008
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:10892
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11408
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:11420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11440
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11524
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11568
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:11580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11600
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11728
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:11744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11772
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11936
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:11948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11968
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:12024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12052
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12096
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:12108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12128
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12212
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12256
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:12272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6400
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5848
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:6416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11316
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11452
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:11428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11400
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:11536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11588
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:11664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11692
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:11884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11980
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:11948
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:11916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6236
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12116
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:12096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12084
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12260
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:12256
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12240
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11388
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:11428
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:6576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11476
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11664
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:11636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11572
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:6344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:11836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11840
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7124
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11088
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6772
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11568
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6588
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6244
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12252
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:6236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7216
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11568
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:11636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7064
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:6172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11540
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:11356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6992
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:11476
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11544
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:760
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:7216
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6308
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4000
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:11856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12292
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:12348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12380
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12424
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:12436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12460
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:12604
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:12616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12644
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12808
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:12820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12840
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12968
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13000
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:13048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13120
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13152
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:13212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13240
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:13292
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11356
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12424
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12492
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:12568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12620
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:12592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7180
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12768
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12828
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12948
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:12940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13064
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13164
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7928
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13284
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12420
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:12624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5384
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12924
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:12916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12920
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:12988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7988
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5004
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:13232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13272
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12404
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7812
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7904
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:12948
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:12992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6972
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:13164
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13236
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:7672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12552
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:12424
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:13012
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:1856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:11856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8156
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:7988
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12492
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:7928
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4000
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:12912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12968
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13328
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13460
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:13472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13500
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:13548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13636
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:13648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13672
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13800
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:13812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13832
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13968
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:14000
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:14056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14084
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:14136
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:14148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:14172
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:14220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:14248
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:14300
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:14312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:14332
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:8400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13344
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13472
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:13452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13416
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9192
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13636
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:13600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13608
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13932
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13992
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14072
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:14144
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:14128

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@76A7.tmp

Filesize
4KB

MD5
557e0039dc13a0453af7ca9373a0d301

SHA1
50efb19b1b1eddd10ddb4c2ff23d18cccba92dfe

SHA256
54850e4c8644c042b15dab73a15135105ff84a240d26d1476c8b80d176a341fc

SHA512
d96fdc89ddbcd8459966c9548d3243a0fa319f8be2f418b4e17f313fb3f86d32dd7f254a035641f35e35ed849832773c0d1fe34ff362761309c64e959c025a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
145KB

MD5
5f28dc2968972e7bfe69a8330da73ea9

SHA1
7bb71a74dcbcfeaf291b0450d88d7a0b2d3dd501

SHA256
7e4da6b8889be0c812ded5547ffc7a0eaadcdf32246c9b1e1c493b1eaaecfa09

SHA512
c51bf36a006319815c5f9acce5ef601af1c8b5643446cb5b1486db4434e10166be6a3cde63f9a1ced95fe9222396575421ddf44bdeb31229e24272b7390066b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
151B

MD5
df152fd80d8fb72198df347eabdec1fc

SHA1
6244e2a1d6395d801da624620f25f8b014f7674f

SHA256
f822405fe96cb799dbb8da5e3837e820e3f7afa255237efd62160073ba0d90a3

SHA512
c45d6809b0e24ea1dfc2bd3b5ae9655cafccb6cba164493a28692319674c97504e7e08af42f6a97b220a0d99ccaa2be77edc802899eb520841413b845dd0ee2f

Download Submit
C:\Users\Admin\AppData\Roaming\Project1 [email protected]

Filesize
848KB

MD5
cbff3c6d23fbe977bf6a0172c5cab877

SHA1
bfedcf444c4e9ef2a2ac551bfe680e607f400b1c

SHA256
977f3ce07fe59c534769563efd9887ae33d8df4e06468a9380e697460b491e0e

SHA512
959575e2e6786d5741873a1bab29b0bef5d89360dc874091ccb040b33715bad4f8b8e11efd1a5e553a5ae632f1f1a3543cbfeac0cad94ecd159958510f6c11c0

Download Submit
C:\Users\Admin\AppData\Roaming\msnmsgr.exe

Filesize
589KB

MD5
30223bd43df984fc7668e6b3993ed13c

SHA1
b348c353702d19bcdbdb4550f0988a3c28602657

SHA256
2bb60a86383200a328fa27c063f688618b13ee081490f90bee079d2af86c2991

SHA512
db74d7f2805cd9ed31d5dbed58abb7c1f24f67aed54a0194429df38078aa8d159912526260310315a2c1f499ade2171c17891aa8ea904285d3e3c300bf6fab44

Download Submit
C:\Users\Admin\AppData\Roaming\ntcom.dll

Filesize
453KB

MD5
1985a5959fe8dd6dba46310722794aea

SHA1
c40c0b0c00ca673ec56cdff40f3fd89e5e76af1c

SHA256
c405a73aaf3e80bba1735a4673a7f2e17d9c4d9278b48cbddd1648ae9d0af728

SHA512
034e7cc2c48bacf34de4d5646b255160b3a6fc0a50bf6f87acfaba0cb354a99c90b13b570297b686280874865b09517e8180aa1950900602c769af0e0c16c4a8

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
bf3f029b48698972471caaa7e9cea759

SHA1
304ef8b5c72bf95e5d3efa18e5587c6d9cacfd15

SHA256
2f55fb7d6318f940c208276c25d63d7a7a8406da1c82f51305f1ce6381ac1aa5

SHA512
0fcc2c42ba1cf816152f1e116789c615956024b58a06a985c79ac9b71fa10dc232a5c4210f18f4d3a70730454cbdc2b3da56d24e4da207d58ce2446424b68d00

Download Submit
C:\Windows\SysWOW64\28463\FXOV.001

Filesize
382B

MD5
601a3acadbcd5c6866921570bb700212

SHA1
e594de129f142c18abdacc8e44b35758ca36d527

SHA256
ef08718142a1988627df5417f55c8801b0c548aec23bf7a88329755fd08f1b8c

SHA512
2cf7043da13de1171027a2193166dbc3793ffe50d64c70016cc584eb740dd5c69f24d6d2da580b1c0211764cf8cecf9aeeb551da5f7ad6c4ae939c9048b156c5

Download Submit
C:\Windows\SysWOW64\28463\FXOV.006

Filesize
8KB

MD5
5153b016d36928c296131c5c8e669446

SHA1
c444f61a2dc49ede6a2325f26d76af66de5989d2

SHA256
4c52ec0d5d4cad21ed134af76f64c3cb44b826594641f44487e4625f5bc96f59

SHA512
c9084ff30f1f023b1f9cd00dc66cdbf846e95993093163c3e71a13535ccfc79d59be5b28a78ccfa6b0a82389b08b157676d71a9ccca2c170369080feac386f09

Download Submit
C:\Windows\SysWOW64\28463\FXOV.exe

Filesize
648KB

MD5
5530832fa82582288ce640f73a4915a0

SHA1
c40673ed59a61dd3b39f8ed6d0e1345838d98e44

SHA256
6f7daff3caf7f24a00e08e4ed414b4d23e13d2cac4657ad7a071d9cbeb42cb88

SHA512
ee2a2dc3c85a13b39f15a276f842afab8d341aacb457c1750b8bf0fa46b03a3bfabeff5be6439f3edf2c428d504ecabf07a399ebbdb09a75693309b55903775c

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
memory/436-99-0x0000000002700000-0x0000000002778000-memory.dmp

Filesize
480KB

Download
memory/644-148-0x0000000002320000-0x0000000002398000-memory.dmp

Filesize
480KB

Download
memory/916-74-0x0000000002310000-0x0000000002388000-memory.dmp

Filesize
480KB

Download
memory/956-172-0x00000000024B0000-0x0000000002528000-memory.dmp

Filesize
480KB

Download
memory/1572-192-0x0000000002350000-0x00000000023C8000-memory.dmp

Filesize
480KB

Download
memory/1600-140-0x0000000002810000-0x0000000002888000-memory.dmp

Filesize
480KB

Download
memory/1616-77-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1616-143-0x0000000005330000-0x00000000053A8000-memory.dmp

Filesize
480KB

Download
memory/1616-238-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1920-44-0x00000000020A0000-0x0000000002118000-memory.dmp

Filesize
480KB

Download
memory/2188-23-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/2188-10-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2188-0-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2188-50-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/2320-180-0x0000000002660000-0x00000000026D8000-memory.dmp

Filesize
480KB

Download
memory/3028-152-0x00000000020D0000-0x0000000002148000-memory.dmp

Filesize
480KB

Download
memory/3156-95-0x0000000002530000-0x00000000025A8000-memory.dmp

Filesize
480KB

Download
memory/3224-196-0x00000000023B0000-0x0000000002428000-memory.dmp

Filesize
480KB

Download
memory/3524-129-0x0000000002240000-0x00000000022B8000-memory.dmp

Filesize
480KB

Download
memory/3656-144-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3656-146-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3676-209-0x0000000002220000-0x0000000002298000-memory.dmp

Filesize
480KB

Download
memory/3828-109-0x0000000002100000-0x0000000002178000-memory.dmp

Filesize
480KB

Download
memory/4020-188-0x00000000027A0000-0x0000000002818000-memory.dmp

Filesize
480KB

Download
memory/4052-176-0x0000000002690000-0x0000000002708000-memory.dmp

Filesize
480KB

Download
memory/4708-27-0x0000000002270000-0x00000000022E8000-memory.dmp

Filesize
480KB

Download
memory/4708-24-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/4744-160-0x00000000026C0000-0x0000000002738000-memory.dmp

Filesize
480KB

Download
memory/4840-200-0x00000000026D0000-0x0000000002748000-memory.dmp

Filesize
480KB

Download
memory/4912-184-0x00000000027E0000-0x0000000002858000-memory.dmp

Filesize
480KB

Download
memory/5016-156-0x00000000027D0000-0x0000000002848000-memory.dmp

Filesize
480KB

Download
memory/5472-15-0x00000000020E0000-0x0000000002158000-memory.dmp

Filesize
480KB

Download
memory/5472-207-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/5472-221-0x00000000020E0000-0x0000000002158000-memory.dmp

Filesize
480KB

Download
memory/5472-220-0x0000000010000000-0x000000001009D000-memory.dmp

Filesize
628KB

Download
memory/5472-11-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/5536-213-0x0000000002840000-0x00000000028B8000-memory.dmp

Filesize
480KB

Download
memory/5944-164-0x00000000026A0000-0x0000000002718000-memory.dmp

Filesize
480KB

Download
memory/6076-119-0x0000000001FA0000-0x0000000002018000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads