ardamax | a4edc06ab982e63b074889528e177a043143a994aac4335e1582991e141561a6

Analysis

max time kernel
44s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
18/04/2025, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe
Size

2.4MB
MD5

c0177e9cf4abe6b2007ae61f9a17b78b
SHA1

fab60ea62692fdd7648f3c17504c03303789b301
SHA256

a4edc06ab982e63b074889528e177a043143a994aac4335e1582991e141561a6
SHA512

f9cf21c5a7ec5acef2b490fc848b14e2a66deb04305b28a05bf3f71d7569de61e6002d91a7baea95c10d62c6f4979fccc6faf67a8cab6ef28dfc43ab46ac7f03
SSDEEP

49152:3RXx+3aN1JfK8wDjO7r8SILAwan+xHqysyDBSnKZHWW9oUFOQJCDMuR:3RY6JfK8QjO7r8SILAwan+xKysyDBSnd

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x001900000002b08e-66.dat	family_ardamax

Executes dropped EXE 64 IoCs

pid	Process
3076	msnmsgr.exe
1396	msnmsgr.exe
1548	Project1 [email protected]
3824	msnmsgr.exe
1468	FXOV.exe
1916	Project1.exe
3896	msnmsgr.exe
4544	msnmsgr.exe
5060	msnmsgr.exe
4732	msnmsgr.exe
4504	msnmsgr.exe
3528	msnmsgr.exe
3188	FXOV.exe
1108	msnmsgr.exe
2072	msnmsgr.exe
3184	msnmsgr.exe
5104	msnmsgr.exe
4372	msnmsgr.exe
1652	msnmsgr.exe
4232	msnmsgr.exe
4624	msnmsgr.exe
5096	msnmsgr.exe
4836	msnmsgr.exe
3800	msnmsgr.exe
4460	msnmsgr.exe
3160	msnmsgr.exe
4560	msnmsgr.exe
2144	msnmsgr.exe
3464	msnmsgr.exe
4596	msnmsgr.exe
1616	msnmsgr.exe
2740	msnmsgr.exe
5212	msnmsgr.exe
5372	msnmsgr.exe
5528	msnmsgr.exe
5684	msnmsgr.exe
5840	msnmsgr.exe
6000	msnmsgr.exe
5140	msnmsgr.exe
5248	msnmsgr.exe
5576	msnmsgr.exe
5944	msnmsgr.exe
6036	msnmsgr.exe
5432	msnmsgr.exe
4228	msnmsgr.exe
5448	msnmsgr.exe
5556	msnmsgr.exe
5704	msnmsgr.exe
5452	msnmsgr.exe
5228	msnmsgr.exe
6228	msnmsgr.exe
6380	msnmsgr.exe
6568	msnmsgr.exe
6720	msnmsgr.exe
6880	msnmsgr.exe
7048	msnmsgr.exe
5912	msnmsgr.exe
6456	msnmsgr.exe
6596	msnmsgr.exe
6964	msnmsgr.exe
7076	msnmsgr.exe
6440	msnmsgr.exe
6984	msnmsgr.exe
6272	msnmsgr.exe

Loads dropped DLL 64 IoCs

pid	Process
3076	msnmsgr.exe
3076	msnmsgr.exe
3076	msnmsgr.exe
3076	msnmsgr.exe
1396	msnmsgr.exe
1396	msnmsgr.exe
1396	msnmsgr.exe
1396	msnmsgr.exe
1548	Project1 [email protected]
3824	msnmsgr.exe
3824	msnmsgr.exe
3824	msnmsgr.exe
3824	msnmsgr.exe
1916	Project1.exe
1916	Project1.exe
3896	msnmsgr.exe
3896	msnmsgr.exe
3896	msnmsgr.exe
3896	msnmsgr.exe
4544	msnmsgr.exe
4544	msnmsgr.exe
4544	msnmsgr.exe
4544	msnmsgr.exe
5060	msnmsgr.exe
5060	msnmsgr.exe
5060	msnmsgr.exe
5060	msnmsgr.exe
4732	msnmsgr.exe
4732	msnmsgr.exe
4732	msnmsgr.exe
4732	msnmsgr.exe
4504	msnmsgr.exe
4504	msnmsgr.exe
4504	msnmsgr.exe
4504	msnmsgr.exe
3528	msnmsgr.exe
3528	msnmsgr.exe
1468	FXOV.exe
1468	FXOV.exe
1468	FXOV.exe
1468	FXOV.exe
1468	FXOV.exe
3188	FXOV.exe
3188	FXOV.exe
3188	FXOV.exe
3528	msnmsgr.exe
3528	msnmsgr.exe
1108	msnmsgr.exe
1108	msnmsgr.exe
1108	msnmsgr.exe
1108	msnmsgr.exe
1108	msnmsgr.exe
1108	msnmsgr.exe
1108	msnmsgr.exe
1108	msnmsgr.exe
2072	msnmsgr.exe
2072	msnmsgr.exe
2072	msnmsgr.exe
2072	msnmsgr.exe
2072	msnmsgr.exe
2072	msnmsgr.exe
2072	msnmsgr.exe
2072	msnmsgr.exe
3184	msnmsgr.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FXOV Agent = "C:\\Windows\\SysWOW64\\28463\\FXOV.exe"	FXOV.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnmsgr.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Project1 [email protected]
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File opened for modification	C:\Windows\SysWOW64\28463	FXOV.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe
File created	C:\Windows\SysWOW64\system.bat	msnmsgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FXOV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\TypeLib	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\VersionIndependentProgID	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\VersionIndependentProgID\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OCHelper.dll"	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\Programmable	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}\1.0\ = "Rendezvous 1.0 Type Library"	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\Implemented Categories	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\Programmable\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}\	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\ProgID	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\ProgID\ = "OCHelper.BrowserHelper.1"	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}\1.0\0	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\TypeLib\ = "{8B8C6C22-C05C-6702-D007-0000C01478DB}"	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\Version\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\Version\ = "1.0"	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\TypeLib\	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}\1.0\0\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}\1.0\0\win32\	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}\1.0\FLAGS	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\Implemented Categories\	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\InprocServer32	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\InprocServer32\	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}\1.0	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\ProgID\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\RendezvousSession.tlb"	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\VersionIndependentProgID\ = "OCHelper.BrowserHelper"	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}\1.0\0\win32	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}\1.0\FLAGS\ = "0"	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\Version	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDB8C1FE-7065-46DE-27A9-5CAA8C9DC28E}\ = "Ekeqow Class"	FXOV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}\1.0\	FXOV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B8C6C22-C05C-6702-D007-0000C01478DB}\1.0\FLAGS\	FXOV.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
12204	reg.exe
13980	reg.exe
2900	reg.exe
7620	Process not Found
8700	Process not Found
21644	Process not Found
24424	Process not Found
5936	reg.exe
13380	Process not Found
9904	Process not Found
22524	Process not Found
11012	reg.exe
22356	Process not Found
9088	reg.exe
4472	reg.exe
7664	reg.exe
1008	Process not Found
20148	Process not Found
23796	Process not Found
21376	Process not Found
22188	Process not Found
10444	reg.exe
11576	reg.exe
17588	Process not Found
20388	Process not Found
19644	Process not Found
8624	Process not Found
15164	reg.exe
14720	Process not Found
22388	Process not Found
27420	Process not Found
15384	Process not Found
24004	Process not Found
8852	reg.exe
13132	reg.exe
8600	Process not Found
21208	Process not Found
27420	Process not Found
11416	reg.exe
10064	Process not Found
22676	Process not Found
9368	reg.exe
15132	Process not Found
19124	Process not Found
19008	Process not Found
5768	reg.exe
12268	reg.exe
12908	Process not Found
8216	Process not Found
15004	reg.exe
19288	Process not Found
26932	Process not Found
5428	reg.exe
6280	reg.exe
6012	reg.exe
8316	Process not Found
22472	Process not Found
12800	reg.exe
17392	Process not Found
17268	Process not Found
6700	reg.exe
13496	reg.exe
14432	Process not Found
17424	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3076	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	1396	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3824	msnmsgr.exe
Token: SeDebugPrivilege	1916	Project1.exe
Token: SeIncBasePriorityPrivilege	3896	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4544	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5060	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4732	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4504	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3528	msnmsgr.exe
Token: 33	1468	FXOV.exe
Token: SeIncBasePriorityPrivilege	1468	FXOV.exe
Token: SeIncBasePriorityPrivilege	1108	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	2072	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3184	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5104	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4372	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	1652	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4232	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4624	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5096	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4836	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3800	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4460	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3160	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4560	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	2144	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	3464	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4596	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	1616	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	2740	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5212	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5372	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5528	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5684	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5840	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6000	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5140	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5248	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5576	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5944	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6036	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5432	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4228	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5448	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5556	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5704	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5452	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5228	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6228	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6380	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6568	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6720	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6880	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	7048	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	5912	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6456	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6596	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6964	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	7076	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6440	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6984	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6272	msnmsgr.exe
Token: SeIncBasePriorityPrivilege	6800	msnmsgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3076	msnmsgr.exe
1396	msnmsgr.exe
3824	msnmsgr.exe
3896	msnmsgr.exe
4544	msnmsgr.exe
5060	msnmsgr.exe
4732	msnmsgr.exe
4504	msnmsgr.exe
1468	FXOV.exe
1468	FXOV.exe
1468	FXOV.exe
1468	FXOV.exe
1468	FXOV.exe
3528	msnmsgr.exe
1108	msnmsgr.exe
2072	msnmsgr.exe
3184	msnmsgr.exe
5104	msnmsgr.exe
4372	msnmsgr.exe
1652	msnmsgr.exe
4232	msnmsgr.exe
4624	msnmsgr.exe
5096	msnmsgr.exe
4836	msnmsgr.exe
3800	msnmsgr.exe
4460	msnmsgr.exe
3160	msnmsgr.exe
4560	msnmsgr.exe
2144	msnmsgr.exe
3464	msnmsgr.exe
4596	msnmsgr.exe
1616	msnmsgr.exe
2740	msnmsgr.exe
5212	msnmsgr.exe
5372	msnmsgr.exe
5528	msnmsgr.exe
5684	msnmsgr.exe
5840	msnmsgr.exe
6000	msnmsgr.exe
5140	msnmsgr.exe
5248	msnmsgr.exe
5576	msnmsgr.exe
5944	msnmsgr.exe
6036	msnmsgr.exe
5432	msnmsgr.exe
4228	msnmsgr.exe
5448	msnmsgr.exe
5556	msnmsgr.exe
5704	msnmsgr.exe
5452	msnmsgr.exe
5228	msnmsgr.exe
6228	msnmsgr.exe
6380	msnmsgr.exe
6568	msnmsgr.exe
6720	msnmsgr.exe
6880	msnmsgr.exe
7048	msnmsgr.exe
5912	msnmsgr.exe
6456	msnmsgr.exe
6596	msnmsgr.exe
6964	msnmsgr.exe
7076	msnmsgr.exe
6440	msnmsgr.exe
6984	msnmsgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 3076	2740	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe	78
PID 2740 wrote to memory of 3076	2740	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe	78
PID 2740 wrote to memory of 3076	2740	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe	78
PID 3076 wrote to memory of 3512	3076	msnmsgr.exe	79
PID 3076 wrote to memory of 3512	3076	msnmsgr.exe	79
PID 3076 wrote to memory of 3512	3076	msnmsgr.exe	79
PID 3512 wrote to memory of 4232	3512	cmd.exe	81
PID 3512 wrote to memory of 4232	3512	cmd.exe	81
PID 3512 wrote to memory of 4232	3512	cmd.exe	81
PID 4232 wrote to memory of 4472	4232	cmd.exe	82
PID 4232 wrote to memory of 4472	4232	cmd.exe	82
PID 4232 wrote to memory of 4472	4232	cmd.exe	82
PID 1204 wrote to memory of 1396	1204	cmd.exe	85
PID 1204 wrote to memory of 1396	1204	cmd.exe	85
PID 1204 wrote to memory of 1396	1204	cmd.exe	85
PID 1396 wrote to memory of 4920	1396	msnmsgr.exe	86
PID 1396 wrote to memory of 4920	1396	msnmsgr.exe	86
PID 1396 wrote to memory of 4920	1396	msnmsgr.exe	86
PID 4920 wrote to memory of 3188	4920	cmd.exe	88
PID 4920 wrote to memory of 3188	4920	cmd.exe	88
PID 4920 wrote to memory of 3188	4920	cmd.exe	88
PID 3188 wrote to memory of 2284	3188	cmd.exe	89
PID 3188 wrote to memory of 2284	3188	cmd.exe	89
PID 3188 wrote to memory of 2284	3188	cmd.exe	89
PID 2740 wrote to memory of 1548	2740	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe	92
PID 2740 wrote to memory of 1548	2740	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe	92
PID 2740 wrote to memory of 1548	2740	JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe	92
PID 4988 wrote to memory of 3824	4988	cmd.exe	93
PID 4988 wrote to memory of 3824	4988	cmd.exe	93
PID 4988 wrote to memory of 3824	4988	cmd.exe	93
PID 1548 wrote to memory of 1468	1548	Project1 [email protected]	94
PID 1548 wrote to memory of 1468	1548	Project1 [email protected]	94
PID 1548 wrote to memory of 1468	1548	Project1 [email protected]	94
PID 3824 wrote to memory of 1312	3824	msnmsgr.exe	95
PID 3824 wrote to memory of 1312	3824	msnmsgr.exe	95
PID 3824 wrote to memory of 1312	3824	msnmsgr.exe	95
PID 1312 wrote to memory of 1528	1312	cmd.exe	97
PID 1312 wrote to memory of 1528	1312	cmd.exe	97
PID 1312 wrote to memory of 1528	1312	cmd.exe	97
PID 1528 wrote to memory of 4892	1528	cmd.exe	98
PID 1528 wrote to memory of 4892	1528	cmd.exe	98
PID 1528 wrote to memory of 4892	1528	cmd.exe	98
PID 1548 wrote to memory of 1916	1548	Project1 [email protected]	100
PID 1548 wrote to memory of 1916	1548	Project1 [email protected]	100
PID 1548 wrote to memory of 1916	1548	Project1 [email protected]	100
PID 4676 wrote to memory of 3896	4676	cmd.exe	103
PID 4676 wrote to memory of 3896	4676	cmd.exe	103
PID 4676 wrote to memory of 3896	4676	cmd.exe	103
PID 3896 wrote to memory of 764	3896	msnmsgr.exe	104
PID 3896 wrote to memory of 764	3896	msnmsgr.exe	104
PID 3896 wrote to memory of 764	3896	msnmsgr.exe	104
PID 764 wrote to memory of 1592	764	cmd.exe	106
PID 764 wrote to memory of 1592	764	cmd.exe	106
PID 764 wrote to memory of 1592	764	cmd.exe	106
PID 1592 wrote to memory of 4684	1592	cmd.exe	269
PID 1592 wrote to memory of 4684	1592	cmd.exe	269
PID 1592 wrote to memory of 4684	1592	cmd.exe	269
PID 816 wrote to memory of 4544	816	cmd.exe	110
PID 816 wrote to memory of 4544	816	cmd.exe	110
PID 816 wrote to memory of 4544	816	cmd.exe	110
PID 4544 wrote to memory of 4128	4544	msnmsgr.exe	111
PID 4544 wrote to memory of 4128	4544	msnmsgr.exe	111
PID 4544 wrote to memory of 4128	4544	msnmsgr.exe	111
PID 4128 wrote to memory of 2288	4128	cmd.exe	215

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0177e9cf4abe6b2007ae61f9a17b78b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4472
- C:\Users\Admin\AppData\Roaming\Project1 [email protected]
  "C:\Users\Admin\AppData\Roaming\Project1 [email protected]"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\28463\FXOV.exe
    "C:\Windows\system32\28463\FXOV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\Project1.exe
    "C:\Users\Admin\AppData\Local\Temp\Project1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2288
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:2368
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3396
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4068
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2420
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4864
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3284
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2144
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\28463\FXOV.exe
1⤵
PID:4472
- C:\Windows\SysWOW64\28463\FXOV.exe
  C:\Windows\SysWOW64\28463\FXOV.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3156
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3968
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4716
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5096
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4900
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:896
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4952
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4476
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2416
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:672
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4148
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:248
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4908
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:1880
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3668
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3520
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:2252
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:736
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:848
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3444
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3748
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:1128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4008
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:2492
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2228
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3588
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4748
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5056
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2956
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4048
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3196
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3236
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:736
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3452
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:4816
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3396
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5048
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4748
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2464
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:2304
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:1616
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3588
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3396
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3436
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5048
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3460
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2740
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:436
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5128
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5164
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5240
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5288
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5324
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5444
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5480
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5600
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5632
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5712
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5756
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5792
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5920
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5952
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6028
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:6072
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6108
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5228
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5296
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5432
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5544
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5768
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5744
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5712
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6040
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6072
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5312
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5300
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5192
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5412
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5440
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5732
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5564
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5904
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5964
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5256
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5452
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5760
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5756
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6024
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6084
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5892
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5980
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5232
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6024
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5908
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5892
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5468
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6180
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6256
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6304
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6336
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6452
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6488
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6640
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6672
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6800
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6832
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:6960
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6992
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:7048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7128
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7164
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6216
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6304
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:6280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6256
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6544
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6656
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6772
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6756
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6952
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7092
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7140
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:7076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6296
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6328
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6412
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6844
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6772
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6940
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:1996
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6396
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6584
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6748
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6412
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:6800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7088
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7136
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6292
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:6820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7072
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7028
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:6592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6796
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7176
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7336
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:7352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7372
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7448
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7492
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7524
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7648
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:7664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7684
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7812
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:7828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7848
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7968
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8000
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8120
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8156
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:6152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7220
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:7248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7304
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7316
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7504
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:7500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7480
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7660
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:7632
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:7748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7772
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7976
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7924
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8184
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:6792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7288
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7508
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:7316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7588
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7788
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7964
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:8088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6792
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8100
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7484
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7492
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8012
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7984
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8084
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:7512
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:7972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8012
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6740
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8116
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:6792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:7628
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8208
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8244
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8364
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8400
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:8448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8476
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:8520
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8556
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8676
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8712
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:8760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8832
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8860
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:8908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8980
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9012
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9144
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:9156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9172
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8208
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8280
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8384
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8520
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8504
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8784
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:8836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8832
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:9000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9108
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9140
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8392
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:8092
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8488
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:8524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8836
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:8852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8648
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9184
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:4140
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:9124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:7788
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:8208
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:7972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8672
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8652
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:8632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8796
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:328
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9108
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8852
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:8784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8780
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:8536
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:9088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8964
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:8196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:328
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:8092
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:9348
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:9364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9380
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9460
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:9504
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9540
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9668
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9704
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:9752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9780
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9888
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:9936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10008
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10040
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10116
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10164
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10196
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:8632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9316
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:9368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9352
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:9348
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:9324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9532
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9516
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9480
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9636
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:9872
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9852
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:9956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9992
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:9972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10128
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10232
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9364
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:9284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9288
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:8536
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:9468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9508
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9480
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9680
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9624
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9792
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10068
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10020
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:9284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9460
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:9660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9672
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:9872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10180
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10004
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9344
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:328
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:9368
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10104
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:9988
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:8972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10016
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:9796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10248
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:10296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10376
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10408
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10484
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10528
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10560
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10688
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:10704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10724
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:10772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10844
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:10856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10880
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11000
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:11012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11032
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:11080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11152
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:11164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11188
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10024
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:9840
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:10276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10312
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10356
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10544
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10504
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10644
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:10792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10856
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10952
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10992
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10964
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11140
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:11108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10260
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9980
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10528
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:10544
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10356
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10712
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:10704
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:10644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10832
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:10688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:10976
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:10968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11012
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:10444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10480
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10952
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:11096
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:9368
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:10988
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:10832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:10980
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:10952
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:10948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:9364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11132
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:9984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11272
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:11320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11348
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11404
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:11416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11440
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:11488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11516
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11560
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:11576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11596
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:11660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11696
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11740
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:11752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11772
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11896
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:11908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11932
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12024
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12076
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12116
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12192
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12240
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12276
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:3580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11044
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11352
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:11348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11356
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:11564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11708
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:11684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11748
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11892
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:11872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11964
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12064
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12184
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:12204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12252
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11424
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:11468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11396
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:11744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3204
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11864
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:11852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11876
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:11924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12184
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:12228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12056
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:11352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:1072
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11532
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:11756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:11868
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:11852
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:11524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12064
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:12184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12256
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:11608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11628
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:12268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12064
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:11468
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:11892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12268
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:11628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3292
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - Drops file in System32 directory
  PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10956
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:12228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2892
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:1580
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:10956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12312
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12396
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12440
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12472
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12628
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12660
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12788
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:12800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12820
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12944
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12976
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13060
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13108
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13148
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13280
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12304
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12444
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12420
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12592
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12628
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:416
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12888
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12944
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13056
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13128
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13160
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:11628
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12348
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12596
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12628
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12760
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12772
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4984
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:236
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13296
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:3520
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5220
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3452
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5084
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:5496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:12760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12964
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:13132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13280
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5660
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12640
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12576
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:12888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13052
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12920
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:12744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5852
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:11628
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:5992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:12964
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:12968
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:5156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3444
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:1568
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5260
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:4328
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13320
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13364
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13440
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13484
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13516
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13644
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13676
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13808
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13840
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13968
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:14000
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:14056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:14084
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:14132
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:14144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:14164
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:14220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:14256
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:14300
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:14312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:14332
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:5592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13504
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13472
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13704
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5492
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13876
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13980
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13928
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:14096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:14128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5472
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:14316
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:14288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13476
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:13496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13500
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:5308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13632
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13796
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:3460
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:14136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6236
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:14184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:14296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13492
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13664
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:5420
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:14136
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:14076
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:6856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:5780
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:13452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13508
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:3460
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:2148
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:13980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:5904
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6392
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6220
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:13920
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:13456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:13980
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:13972
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6448
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:7084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:6576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:6716
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:6468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:6428
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:14384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:14412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:14464
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:14476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:14496
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:14544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:14576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:14632
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:14644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:14664
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:14740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:14776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:14828
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        
        PID:14840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:14864
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:14920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:14948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:14992
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:15004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\msnmsgr.exe"
1⤵
PID:15024
- C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  C:\Users\Admin\AppData\Roaming\msnmsgr.exe
  2⤵
  PID:15072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    PID:15100
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
      4⤵
      PID:15152
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Messenger /D "\"C:\Users\Admin\AppData\Roaming\msnmsgr.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:15164

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@9AF8.tmp

Filesize
4KB

MD5
557e0039dc13a0453af7ca9373a0d301

SHA1
50efb19b1b1eddd10ddb4c2ff23d18cccba92dfe

SHA256
54850e4c8644c042b15dab73a15135105ff84a240d26d1476c8b80d176a341fc

SHA512
d96fdc89ddbcd8459966c9548d3243a0fa319f8be2f418b4e17f313fb3f86d32dd7f254a035641f35e35ed849832773c0d1fe34ff362761309c64e959c025a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
145KB

MD5
5f28dc2968972e7bfe69a8330da73ea9

SHA1
7bb71a74dcbcfeaf291b0450d88d7a0b2d3dd501

SHA256
7e4da6b8889be0c812ded5547ffc7a0eaadcdf32246c9b1e1c493b1eaaecfa09

SHA512
c51bf36a006319815c5f9acce5ef601af1c8b5643446cb5b1486db4434e10166be6a3cde63f9a1ced95fe9222396575421ddf44bdeb31229e24272b7390066b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
151B

MD5
df152fd80d8fb72198df347eabdec1fc

SHA1
6244e2a1d6395d801da624620f25f8b014f7674f

SHA256
f822405fe96cb799dbb8da5e3837e820e3f7afa255237efd62160073ba0d90a3

SHA512
c45d6809b0e24ea1dfc2bd3b5ae9655cafccb6cba164493a28692319674c97504e7e08af42f6a97b220a0d99ccaa2be77edc802899eb520841413b845dd0ee2f

Download Submit
C:\Users\Admin\AppData\Roaming\Project1 [email protected]

Filesize
848KB

MD5
cbff3c6d23fbe977bf6a0172c5cab877

SHA1
bfedcf444c4e9ef2a2ac551bfe680e607f400b1c

SHA256
977f3ce07fe59c534769563efd9887ae33d8df4e06468a9380e697460b491e0e

SHA512
959575e2e6786d5741873a1bab29b0bef5d89360dc874091ccb040b33715bad4f8b8e11efd1a5e553a5ae632f1f1a3543cbfeac0cad94ecd159958510f6c11c0

Download Submit
C:\Users\Admin\AppData\Roaming\msnmsgr.exe

Filesize
589KB

MD5
30223bd43df984fc7668e6b3993ed13c

SHA1
b348c353702d19bcdbdb4550f0988a3c28602657

SHA256
2bb60a86383200a328fa27c063f688618b13ee081490f90bee079d2af86c2991

SHA512
db74d7f2805cd9ed31d5dbed58abb7c1f24f67aed54a0194429df38078aa8d159912526260310315a2c1f499ade2171c17891aa8ea904285d3e3c300bf6fab44

Download Submit
C:\Users\Admin\AppData\Roaming\ntcom.dll

Filesize
453KB

MD5
1985a5959fe8dd6dba46310722794aea

SHA1
c40c0b0c00ca673ec56cdff40f3fd89e5e76af1c

SHA256
c405a73aaf3e80bba1735a4673a7f2e17d9c4d9278b48cbddd1648ae9d0af728

SHA512
034e7cc2c48bacf34de4d5646b255160b3a6fc0a50bf6f87acfaba0cb354a99c90b13b570297b686280874865b09517e8180aa1950900602c769af0e0c16c4a8

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
bf3f029b48698972471caaa7e9cea759

SHA1
304ef8b5c72bf95e5d3efa18e5587c6d9cacfd15

SHA256
2f55fb7d6318f940c208276c25d63d7a7a8406da1c82f51305f1ce6381ac1aa5

SHA512
0fcc2c42ba1cf816152f1e116789c615956024b58a06a985c79ac9b71fa10dc232a5c4210f18f4d3a70730454cbdc2b3da56d24e4da207d58ce2446424b68d00

Download Submit
C:\Windows\SysWOW64\28463\FXOV.exe

Filesize
648KB

MD5
5530832fa82582288ce640f73a4915a0

SHA1
c40673ed59a61dd3b39f8ed6d0e1345838d98e44

SHA256
6f7daff3caf7f24a00e08e4ed414b4d23e13d2cac4657ad7a071d9cbeb42cb88

SHA512
ee2a2dc3c85a13b39f15a276f842afab8d341aacb457c1750b8bf0fa46b03a3bfabeff5be6439f3edf2c428d504ecabf07a399ebbdb09a75693309b55903775c

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
memory/1108-146-0x00000000021B0000-0x0000000002228000-memory.dmp

Filesize
480KB

Download
memory/1396-25-0x0000000002340000-0x00000000023B8000-memory.dmp

Filesize
480KB

Download
memory/1396-28-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1468-142-0x0000000003C30000-0x0000000003CA8000-memory.dmp

Filesize
480KB

Download
memory/1468-67-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1468-287-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1652-166-0x0000000002730000-0x00000000027A8000-memory.dmp

Filesize
480KB

Download
memory/1916-84-0x0000000003ED0000-0x0000000003F48000-memory.dmp

Filesize
480KB

Download
memory/2072-150-0x00000000028D0000-0x0000000002948000-memory.dmp

Filesize
480KB

Download
memory/2740-11-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2740-0-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2740-50-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/3076-12-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3076-15-0x00000000021C0000-0x0000000002238000-memory.dmp

Filesize
480KB

Download
memory/3160-194-0x00000000027E0000-0x0000000002858000-memory.dmp

Filesize
480KB

Download
memory/3184-154-0x0000000002400000-0x0000000002478000-memory.dmp

Filesize
480KB

Download
memory/3188-145-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3464-206-0x00000000022E0000-0x0000000002358000-memory.dmp

Filesize
480KB

Download
memory/3528-139-0x0000000002810000-0x0000000002888000-memory.dmp

Filesize
480KB

Download
memory/3800-186-0x0000000002330000-0x00000000023A8000-memory.dmp

Filesize
480KB

Download
memory/3824-58-0x0000000002760000-0x00000000027D8000-memory.dmp

Filesize
480KB

Download
memory/3896-88-0x00000000022F0000-0x0000000002368000-memory.dmp

Filesize
480KB

Download
memory/4232-170-0x00000000023E0000-0x0000000002458000-memory.dmp

Filesize
480KB

Download
memory/4372-162-0x00000000027C0000-0x0000000002838000-memory.dmp

Filesize
480KB

Download
memory/4460-190-0x0000000002910000-0x0000000002988000-memory.dmp

Filesize
480KB

Download
memory/4504-128-0x0000000002720000-0x0000000002798000-memory.dmp

Filesize
480KB

Download
memory/4544-98-0x0000000002170000-0x00000000021E8000-memory.dmp

Filesize
480KB

Download
memory/4596-210-0x0000000002790000-0x0000000002808000-memory.dmp

Filesize
480KB

Download
memory/4624-174-0x00000000023D0000-0x0000000002448000-memory.dmp

Filesize
480KB

Download
memory/4732-118-0x0000000002710000-0x0000000002788000-memory.dmp

Filesize
480KB

Download
memory/4836-182-0x0000000002420000-0x0000000002498000-memory.dmp

Filesize
480KB

Download
memory/5096-178-0x0000000002320000-0x0000000002398000-memory.dmp

Filesize
480KB

Download
memory/5104-158-0x0000000002440000-0x00000000024B8000-memory.dmp

Filesize
480KB

Download
memory/5372-226-0x00000000027A0000-0x0000000002818000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads