4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72

Resubmissions

07-07-2022 07:38

220707-jgnwpafbfn 10

02-11-2020 14:43

201102-qmzdv5yy92 8

Analysis

max time kernel
151s
max time network
148s
platform
windows7_x64
resource
win7v20201028
submitted
02-11-2020 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Booking Confirmation591773251.exe
Size

926KB
MD5

d36537604871b3550a9c5c635c37a601
SHA1

a5360105e7b4d5316c88e5403013dd395c1ab145
SHA256

4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72
SHA512

8b0c31bae27b95ee726fb77a2e0c6b82e599f73ad93d0fcf8c853cca2daf285796d0175ea1d5e0cfb3a40d5b80958a6c1d821b10eb241cba95a7c909ffe04df9

Score

8^/10

persistence spyware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1268	images.exe

Loads dropped DLL 1 IoCs

pid	Process
1668	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 158 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1268 set thread context of 1220	1268	images.exe	39

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1220	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	Booking Confirmation591773251.exe
Token: SeDebugPrivilege	1268	images.exe
Token: SeDebugPrivilege	1220	InstallUtil.exe

Suspicious use of WriteProcessMemory 660 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1448	844	Booking Confirmation591773251.exe	29
PID 844 wrote to memory of 1448	844	Booking Confirmation591773251.exe	29
PID 844 wrote to memory of 1448	844	Booking Confirmation591773251.exe	29
PID 844 wrote to memory of 1448	844	Booking Confirmation591773251.exe	29
PID 844 wrote to memory of 1668	844	Booking Confirmation591773251.exe	31
PID 844 wrote to memory of 1668	844	Booking Confirmation591773251.exe	31
PID 844 wrote to memory of 1668	844	Booking Confirmation591773251.exe	31
PID 844 wrote to memory of 1668	844	Booking Confirmation591773251.exe	31
PID 1668 wrote to memory of 1268	1668	cmd.exe	33
PID 1668 wrote to memory of 1268	1668	cmd.exe	33
PID 1668 wrote to memory of 1268	1668	cmd.exe	33
PID 1668 wrote to memory of 1268	1668	cmd.exe	33
PID 1668 wrote to memory of 1268	1668	cmd.exe	33
PID 1668 wrote to memory of 1268	1668	cmd.exe	33
PID 1668 wrote to memory of 1268	1668	cmd.exe	33
PID 1268 wrote to memory of 1436	1268	images.exe	34
PID 1268 wrote to memory of 1436	1268	images.exe	34
PID 1268 wrote to memory of 1436	1268	images.exe	34
PID 1268 wrote to memory of 1436	1268	images.exe	34
PID 1436 wrote to memory of 1404	1436	cmd.exe	36
PID 1436 wrote to memory of 1404	1436	cmd.exe	36
PID 1436 wrote to memory of 1404	1436	cmd.exe	36
PID 1436 wrote to memory of 1404	1436	cmd.exe	36
PID 1268 wrote to memory of 1624	1268	images.exe	37
PID 1268 wrote to memory of 1624	1268	images.exe	37
PID 1268 wrote to memory of 1624	1268	images.exe	37
PID 1268 wrote to memory of 1624	1268	images.exe	37
PID 1624 wrote to memory of 1900	1624	cmd.exe	40
PID 1624 wrote to memory of 1900	1624	cmd.exe	40
PID 1624 wrote to memory of 1900	1624	cmd.exe	40
PID 1624 wrote to memory of 1900	1624	cmd.exe	40
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1220	1268	images.exe	39
PID 1268 wrote to memory of 1864	1268	images.exe	41
PID 1268 wrote to memory of 1864	1268	images.exe	41
PID 1268 wrote to memory of 1864	1268	images.exe	41
PID 1268 wrote to memory of 1864	1268	images.exe	41
PID 1864 wrote to memory of 912	1864	cmd.exe	43
PID 1864 wrote to memory of 912	1864	cmd.exe	43
PID 1864 wrote to memory of 912	1864	cmd.exe	43
PID 1864 wrote to memory of 912	1864	cmd.exe	43
PID 1268 wrote to memory of 944	1268	images.exe	44
PID 1268 wrote to memory of 944	1268	images.exe	44
PID 1268 wrote to memory of 944	1268	images.exe	44
PID 1268 wrote to memory of 944	1268	images.exe	44
PID 944 wrote to memory of 968	944	cmd.exe	46
PID 944 wrote to memory of 968	944	cmd.exe	46
PID 944 wrote to memory of 968	944	cmd.exe	46
PID 944 wrote to memory of 968	944	cmd.exe	46
PID 1268 wrote to memory of 2012	1268	images.exe	47
PID 1268 wrote to memory of 2012	1268	images.exe	47
PID 1268 wrote to memory of 2012	1268	images.exe	47
PID 1268 wrote to memory of 2012	1268	images.exe	47
PID 2012 wrote to memory of 560	2012	cmd.exe	49
PID 2012 wrote to memory of 560	2012	cmd.exe	49
PID 2012 wrote to memory of 560	2012	cmd.exe	49
PID 2012 wrote to memory of 560	2012	cmd.exe	49
PID 1268 wrote to memory of 960	1268	images.exe	50
PID 1268 wrote to memory of 960	1268	images.exe	50
PID 1268 wrote to memory of 960	1268	images.exe	50
PID 1268 wrote to memory of 960	1268	images.exe	50
PID 960 wrote to memory of 1460	960	cmd.exe	52
PID 960 wrote to memory of 1460	960	cmd.exe	52
PID 960 wrote to memory of 1460	960	cmd.exe	52
PID 960 wrote to memory of 1460	960	cmd.exe	52
PID 1268 wrote to memory of 1724	1268	images.exe	53
PID 1268 wrote to memory of 1724	1268	images.exe	53
PID 1268 wrote to memory of 1724	1268	images.exe	53
PID 1268 wrote to memory of 1724	1268	images.exe	53
PID 1724 wrote to memory of 1928	1724	cmd.exe	55
PID 1724 wrote to memory of 1928	1724	cmd.exe	55
PID 1724 wrote to memory of 1928	1724	cmd.exe	55
PID 1724 wrote to memory of 1928	1724	cmd.exe	55
PID 1268 wrote to memory of 1004	1268	images.exe	56
PID 1268 wrote to memory of 1004	1268	images.exe	56
PID 1268 wrote to memory of 1004	1268	images.exe	56
PID 1268 wrote to memory of 1004	1268	images.exe	56
PID 1004 wrote to memory of 1420	1004	cmd.exe	58
PID 1004 wrote to memory of 1420	1004	cmd.exe	58
PID 1004 wrote to memory of 1420	1004	cmd.exe	58
PID 1004 wrote to memory of 1420	1004	cmd.exe	58
PID 1268 wrote to memory of 1236	1268	images.exe	60
PID 1268 wrote to memory of 1236	1268	images.exe	60
PID 1268 wrote to memory of 1236	1268	images.exe	60
PID 1268 wrote to memory of 1236	1268	images.exe	60
PID 1236 wrote to memory of 832	1236	cmd.exe	62
PID 1236 wrote to memory of 832	1236	cmd.exe	62
PID 1236 wrote to memory of 832	1236	cmd.exe	62
PID 1236 wrote to memory of 832	1236	cmd.exe	62
PID 1268 wrote to memory of 1908	1268	images.exe	63
PID 1268 wrote to memory of 1908	1268	images.exe	63
PID 1268 wrote to memory of 1908	1268	images.exe	63
PID 1268 wrote to memory of 1908	1268	images.exe	63
PID 1908 wrote to memory of 1112	1908	cmd.exe	65
PID 1908 wrote to memory of 1112	1908	cmd.exe	65
PID 1908 wrote to memory of 1112	1908	cmd.exe	65
PID 1908 wrote to memory of 1112	1908	cmd.exe	65
PID 1268 wrote to memory of 1396	1268	images.exe	66
PID 1268 wrote to memory of 1396	1268	images.exe	66
PID 1268 wrote to memory of 1396	1268	images.exe	66
PID 1268 wrote to memory of 1396	1268	images.exe	66
PID 1396 wrote to memory of 1860	1396	cmd.exe	68
PID 1396 wrote to memory of 1860	1396	cmd.exe	68
PID 1396 wrote to memory of 1860	1396	cmd.exe	68
PID 1396 wrote to memory of 1860	1396	cmd.exe	68
PID 1268 wrote to memory of 1596	1268	images.exe	69
PID 1268 wrote to memory of 1596	1268	images.exe	69
PID 1268 wrote to memory of 1596	1268	images.exe	69
PID 1268 wrote to memory of 1596	1268	images.exe	69
PID 1596 wrote to memory of 560	1596	cmd.exe	71
PID 1596 wrote to memory of 560	1596	cmd.exe	71
PID 1596 wrote to memory of 560	1596	cmd.exe	71
PID 1596 wrote to memory of 560	1596	cmd.exe	71
PID 1268 wrote to memory of 1704	1268	images.exe	72
PID 1268 wrote to memory of 1704	1268	images.exe	72
PID 1268 wrote to memory of 1704	1268	images.exe	72
PID 1268 wrote to memory of 1704	1268	images.exe	72
PID 1704 wrote to memory of 1084	1704	cmd.exe	74
PID 1704 wrote to memory of 1084	1704	cmd.exe	74
PID 1704 wrote to memory of 1084	1704	cmd.exe	74
PID 1704 wrote to memory of 1084	1704	cmd.exe	74
PID 1268 wrote to memory of 1124	1268	images.exe	75
PID 1268 wrote to memory of 1124	1268	images.exe	75
PID 1268 wrote to memory of 1124	1268	images.exe	75
PID 1268 wrote to memory of 1124	1268	images.exe	75
PID 1124 wrote to memory of 820	1124	cmd.exe	77
PID 1124 wrote to memory of 820	1124	cmd.exe	77
PID 1124 wrote to memory of 820	1124	cmd.exe	77
PID 1124 wrote to memory of 820	1124	cmd.exe	77
PID 1268 wrote to memory of 1272	1268	images.exe	78
PID 1268 wrote to memory of 1272	1268	images.exe	78
PID 1268 wrote to memory of 1272	1268	images.exe	78
PID 1268 wrote to memory of 1272	1268	images.exe	78
PID 1272 wrote to memory of 1644	1272	cmd.exe	80
PID 1272 wrote to memory of 1644	1272	cmd.exe	80
PID 1272 wrote to memory of 1644	1272	cmd.exe	80
PID 1272 wrote to memory of 1644	1272	cmd.exe	80
PID 1268 wrote to memory of 1428	1268	images.exe	81
PID 1268 wrote to memory of 1428	1268	images.exe	81
PID 1268 wrote to memory of 1428	1268	images.exe	81
PID 1268 wrote to memory of 1428	1268	images.exe	81
PID 1428 wrote to memory of 1956	1428	cmd.exe	83
PID 1428 wrote to memory of 1956	1428	cmd.exe	83
PID 1428 wrote to memory of 1956	1428	cmd.exe	83
PID 1428 wrote to memory of 1956	1428	cmd.exe	83
PID 1268 wrote to memory of 1112	1268	images.exe	84
PID 1268 wrote to memory of 1112	1268	images.exe	84
PID 1268 wrote to memory of 1112	1268	images.exe	84
PID 1268 wrote to memory of 1112	1268	images.exe	84
PID 1112 wrote to memory of 1688	1112	cmd.exe	86
PID 1112 wrote to memory of 1688	1112	cmd.exe	86
PID 1112 wrote to memory of 1688	1112	cmd.exe	86
PID 1112 wrote to memory of 1688	1112	cmd.exe	86
PID 1268 wrote to memory of 936	1268	images.exe	87
PID 1268 wrote to memory of 936	1268	images.exe	87
PID 1268 wrote to memory of 936	1268	images.exe	87
PID 1268 wrote to memory of 936	1268	images.exe	87
PID 936 wrote to memory of 560	936	cmd.exe	89
PID 936 wrote to memory of 560	936	cmd.exe	89
PID 936 wrote to memory of 560	936	cmd.exe	89
PID 936 wrote to memory of 560	936	cmd.exe	89
PID 1268 wrote to memory of 1692	1268	images.exe	90
PID 1268 wrote to memory of 1692	1268	images.exe	90
PID 1268 wrote to memory of 1692	1268	images.exe	90
PID 1268 wrote to memory of 1692	1268	images.exe	90
PID 1692 wrote to memory of 620	1692	cmd.exe	92
PID 1692 wrote to memory of 620	1692	cmd.exe	92
PID 1692 wrote to memory of 620	1692	cmd.exe	92
PID 1692 wrote to memory of 620	1692	cmd.exe	92
PID 1268 wrote to memory of 884	1268	images.exe	93
PID 1268 wrote to memory of 884	1268	images.exe	93
PID 1268 wrote to memory of 884	1268	images.exe	93
PID 1268 wrote to memory of 884	1268	images.exe	93
PID 884 wrote to memory of 1944	884	cmd.exe	95
PID 884 wrote to memory of 1944	884	cmd.exe	95
PID 884 wrote to memory of 1944	884	cmd.exe	95
PID 884 wrote to memory of 1944	884	cmd.exe	95
PID 1268 wrote to memory of 1324	1268	images.exe	96
PID 1268 wrote to memory of 1324	1268	images.exe	96
PID 1268 wrote to memory of 1324	1268	images.exe	96
PID 1268 wrote to memory of 1324	1268	images.exe	96
PID 1324 wrote to memory of 1576	1324	cmd.exe	98
PID 1324 wrote to memory of 1576	1324	cmd.exe	98
PID 1324 wrote to memory of 1576	1324	cmd.exe	98
PID 1324 wrote to memory of 1576	1324	cmd.exe	98
PID 1268 wrote to memory of 1732	1268	images.exe	99
PID 1268 wrote to memory of 1732	1268	images.exe	99
PID 1268 wrote to memory of 1732	1268	images.exe	99
PID 1268 wrote to memory of 1732	1268	images.exe	99
PID 1732 wrote to memory of 940	1732	cmd.exe	101
PID 1732 wrote to memory of 940	1732	cmd.exe	101
PID 1732 wrote to memory of 940	1732	cmd.exe	101
PID 1732 wrote to memory of 940	1732	cmd.exe	101
PID 1268 wrote to memory of 1784	1268	images.exe	102
PID 1268 wrote to memory of 1784	1268	images.exe	102
PID 1268 wrote to memory of 1784	1268	images.exe	102
PID 1268 wrote to memory of 1784	1268	images.exe	102
PID 1784 wrote to memory of 452	1784	cmd.exe	104
PID 1784 wrote to memory of 452	1784	cmd.exe	104
PID 1784 wrote to memory of 452	1784	cmd.exe	104
PID 1784 wrote to memory of 452	1784	cmd.exe	104
PID 1268 wrote to memory of 684	1268	images.exe	105
PID 1268 wrote to memory of 684	1268	images.exe	105
PID 1268 wrote to memory of 684	1268	images.exe	105
PID 1268 wrote to memory of 684	1268	images.exe	105
PID 684 wrote to memory of 1980	684	cmd.exe	107
PID 684 wrote to memory of 1980	684	cmd.exe	107
PID 684 wrote to memory of 1980	684	cmd.exe	107
PID 684 wrote to memory of 1980	684	cmd.exe	107
PID 1268 wrote to memory of 1740	1268	images.exe	108
PID 1268 wrote to memory of 1740	1268	images.exe	108
PID 1268 wrote to memory of 1740	1268	images.exe	108
PID 1268 wrote to memory of 1740	1268	images.exe	108
PID 1740 wrote to memory of 1644	1740	cmd.exe	110
PID 1740 wrote to memory of 1644	1740	cmd.exe	110
PID 1740 wrote to memory of 1644	1740	cmd.exe	110
PID 1740 wrote to memory of 1644	1740	cmd.exe	110
PID 1268 wrote to memory of 1576	1268	images.exe	111
PID 1268 wrote to memory of 1576	1268	images.exe	111
PID 1268 wrote to memory of 1576	1268	images.exe	111
PID 1268 wrote to memory of 1576	1268	images.exe	111
PID 1576 wrote to memory of 108	1576	cmd.exe	113
PID 1576 wrote to memory of 108	1576	cmd.exe	113
PID 1576 wrote to memory of 108	1576	cmd.exe	113
PID 1576 wrote to memory of 108	1576	cmd.exe	113
PID 1268 wrote to memory of 1688	1268	images.exe	114
PID 1268 wrote to memory of 1688	1268	images.exe	114
PID 1268 wrote to memory of 1688	1268	images.exe	114
PID 1268 wrote to memory of 1688	1268	images.exe	114
PID 1688 wrote to memory of 1588	1688	cmd.exe	116
PID 1688 wrote to memory of 1588	1688	cmd.exe	116
PID 1688 wrote to memory of 1588	1688	cmd.exe	116
PID 1688 wrote to memory of 1588	1688	cmd.exe	116
PID 1268 wrote to memory of 560	1268	images.exe	117
PID 1268 wrote to memory of 560	1268	images.exe	117
PID 1268 wrote to memory of 560	1268	images.exe	117
PID 1268 wrote to memory of 560	1268	images.exe	117
PID 560 wrote to memory of 1132	560	cmd.exe	119
PID 560 wrote to memory of 1132	560	cmd.exe	119
PID 560 wrote to memory of 1132	560	cmd.exe	119
PID 560 wrote to memory of 1132	560	cmd.exe	119
PID 1268 wrote to memory of 912	1268	images.exe	120
PID 1268 wrote to memory of 912	1268	images.exe	120
PID 1268 wrote to memory of 912	1268	images.exe	120
PID 1268 wrote to memory of 912	1268	images.exe	120
PID 912 wrote to memory of 1420	912	cmd.exe	122
PID 912 wrote to memory of 1420	912	cmd.exe	122
PID 912 wrote to memory of 1420	912	cmd.exe	122
PID 912 wrote to memory of 1420	912	cmd.exe	122
PID 1268 wrote to memory of 908	1268	images.exe	123
PID 1268 wrote to memory of 908	1268	images.exe	123
PID 1268 wrote to memory of 908	1268	images.exe	123
PID 1268 wrote to memory of 908	1268	images.exe	123
PID 908 wrote to memory of 1984	908	cmd.exe	125
PID 908 wrote to memory of 1984	908	cmd.exe	125
PID 908 wrote to memory of 1984	908	cmd.exe	125
PID 908 wrote to memory of 1984	908	cmd.exe	125
PID 1268 wrote to memory of 1676	1268	images.exe	126
PID 1268 wrote to memory of 1676	1268	images.exe	126
PID 1268 wrote to memory of 1676	1268	images.exe	126
PID 1268 wrote to memory of 1676	1268	images.exe	126
PID 1676 wrote to memory of 1504	1676	cmd.exe	128
PID 1676 wrote to memory of 1504	1676	cmd.exe	128
PID 1676 wrote to memory of 1504	1676	cmd.exe	128
PID 1676 wrote to memory of 1504	1676	cmd.exe	128
PID 1268 wrote to memory of 1816	1268	images.exe	129
PID 1268 wrote to memory of 1816	1268	images.exe	129
PID 1268 wrote to memory of 1816	1268	images.exe	129
PID 1268 wrote to memory of 1816	1268	images.exe	129
PID 1816 wrote to memory of 620	1816	cmd.exe	131
PID 1816 wrote to memory of 620	1816	cmd.exe	131
PID 1816 wrote to memory of 620	1816	cmd.exe	131
PID 1816 wrote to memory of 620	1816	cmd.exe	131
PID 1268 wrote to memory of 1892	1268	images.exe	132
PID 1268 wrote to memory of 1892	1268	images.exe	132
PID 1268 wrote to memory of 1892	1268	images.exe	132
PID 1268 wrote to memory of 1892	1268	images.exe	132
PID 1892 wrote to memory of 1404	1892	cmd.exe	134
PID 1892 wrote to memory of 1404	1892	cmd.exe	134
PID 1892 wrote to memory of 1404	1892	cmd.exe	134
PID 1892 wrote to memory of 1404	1892	cmd.exe	134
PID 1268 wrote to memory of 1984	1268	images.exe	135
PID 1268 wrote to memory of 1984	1268	images.exe	135
PID 1268 wrote to memory of 1984	1268	images.exe	135
PID 1268 wrote to memory of 1984	1268	images.exe	135
PID 1984 wrote to memory of 1520	1984	cmd.exe	137
PID 1984 wrote to memory of 1520	1984	cmd.exe	137
PID 1984 wrote to memory of 1520	1984	cmd.exe	137
PID 1984 wrote to memory of 1520	1984	cmd.exe	137
PID 1268 wrote to memory of 1972	1268	images.exe	138
PID 1268 wrote to memory of 1972	1268	images.exe	138
PID 1268 wrote to memory of 1972	1268	images.exe	138
PID 1268 wrote to memory of 1972	1268	images.exe	138
PID 1972 wrote to memory of 620	1972	cmd.exe	140
PID 1972 wrote to memory of 620	1972	cmd.exe	140
PID 1972 wrote to memory of 620	1972	cmd.exe	140
PID 1972 wrote to memory of 620	1972	cmd.exe	140
PID 1268 wrote to memory of 1980	1268	images.exe	141
PID 1268 wrote to memory of 1980	1268	images.exe	141
PID 1268 wrote to memory of 1980	1268	images.exe	141
PID 1268 wrote to memory of 1980	1268	images.exe	141
PID 1980 wrote to memory of 864	1980	cmd.exe	143
PID 1980 wrote to memory of 864	1980	cmd.exe	143
PID 1980 wrote to memory of 864	1980	cmd.exe	143
PID 1980 wrote to memory of 864	1980	cmd.exe	143
PID 1268 wrote to memory of 2004	1268	images.exe	144
PID 1268 wrote to memory of 2004	1268	images.exe	144
PID 1268 wrote to memory of 2004	1268	images.exe	144
PID 1268 wrote to memory of 2004	1268	images.exe	144
PID 2004 wrote to memory of 1452	2004	cmd.exe	146
PID 2004 wrote to memory of 1452	2004	cmd.exe	146
PID 2004 wrote to memory of 1452	2004	cmd.exe	146
PID 2004 wrote to memory of 1452	2004	cmd.exe	146
PID 1268 wrote to memory of 1460	1268	images.exe	147
PID 1268 wrote to memory of 1460	1268	images.exe	147
PID 1268 wrote to memory of 1460	1268	images.exe	147
PID 1268 wrote to memory of 1460	1268	images.exe	147
PID 1460 wrote to memory of 1420	1460	cmd.exe	149
PID 1460 wrote to memory of 1420	1460	cmd.exe	149
PID 1460 wrote to memory of 1420	1460	cmd.exe	149
PID 1460 wrote to memory of 1420	1460	cmd.exe	149
PID 1268 wrote to memory of 864	1268	images.exe	150
PID 1268 wrote to memory of 864	1268	images.exe	150
PID 1268 wrote to memory of 864	1268	images.exe	150
PID 1268 wrote to memory of 864	1268	images.exe	150
PID 864 wrote to memory of 1588	864	cmd.exe	152
PID 864 wrote to memory of 1588	864	cmd.exe	152
PID 864 wrote to memory of 1588	864	cmd.exe	152
PID 864 wrote to memory of 1588	864	cmd.exe	152
PID 1268 wrote to memory of 108	1268	images.exe	153
PID 1268 wrote to memory of 108	1268	images.exe	153
PID 1268 wrote to memory of 108	1268	images.exe	153
PID 1268 wrote to memory of 108	1268	images.exe	153
PID 108 wrote to memory of 1420	108	cmd.exe	155
PID 108 wrote to memory of 1420	108	cmd.exe	155
PID 108 wrote to memory of 1420	108	cmd.exe	155
PID 108 wrote to memory of 1420	108	cmd.exe	155
PID 1268 wrote to memory of 1584	1268	images.exe	156
PID 1268 wrote to memory of 1584	1268	images.exe	156
PID 1268 wrote to memory of 1584	1268	images.exe	156
PID 1268 wrote to memory of 1584	1268	images.exe	156
PID 1584 wrote to memory of 1404	1584	cmd.exe	158
PID 1584 wrote to memory of 1404	1584	cmd.exe	158
PID 1584 wrote to memory of 1404	1584	cmd.exe	158
PID 1584 wrote to memory of 1404	1584	cmd.exe	158
PID 1268 wrote to memory of 1860	1268	images.exe	159
PID 1268 wrote to memory of 1860	1268	images.exe	159
PID 1268 wrote to memory of 1860	1268	images.exe	159
PID 1268 wrote to memory of 1860	1268	images.exe	159
PID 1860 wrote to memory of 1612	1860	cmd.exe	161
PID 1860 wrote to memory of 1612	1860	cmd.exe	161
PID 1860 wrote to memory of 1612	1860	cmd.exe	161
PID 1860 wrote to memory of 1612	1860	cmd.exe	161
PID 1268 wrote to memory of 1032	1268	images.exe	162
PID 1268 wrote to memory of 1032	1268	images.exe	162
PID 1268 wrote to memory of 1032	1268	images.exe	162
PID 1268 wrote to memory of 1032	1268	images.exe	162
PID 1032 wrote to memory of 1628	1032	cmd.exe	164
PID 1032 wrote to memory of 1628	1032	cmd.exe	164
PID 1032 wrote to memory of 1628	1032	cmd.exe	164
PID 1032 wrote to memory of 1628	1032	cmd.exe	164
PID 1268 wrote to memory of 1612	1268	images.exe	165
PID 1268 wrote to memory of 1612	1268	images.exe	165
PID 1268 wrote to memory of 1612	1268	images.exe	165
PID 1268 wrote to memory of 1612	1268	images.exe	165
PID 1612 wrote to memory of 1968	1612	cmd.exe	167
PID 1612 wrote to memory of 1968	1612	cmd.exe	167
PID 1612 wrote to memory of 1968	1612	cmd.exe	167
PID 1612 wrote to memory of 1968	1612	cmd.exe	167
PID 1268 wrote to memory of 1588	1268	images.exe	168
PID 1268 wrote to memory of 1588	1268	images.exe	168
PID 1268 wrote to memory of 1588	1268	images.exe	168
PID 1268 wrote to memory of 1588	1268	images.exe	168
PID 1588 wrote to memory of 916	1588	cmd.exe	170
PID 1588 wrote to memory of 916	1588	cmd.exe	170
PID 1588 wrote to memory of 916	1588	cmd.exe	170
PID 1588 wrote to memory of 916	1588	cmd.exe	170
PID 1268 wrote to memory of 940	1268	images.exe	171
PID 1268 wrote to memory of 940	1268	images.exe	171
PID 1268 wrote to memory of 940	1268	images.exe	171
PID 1268 wrote to memory of 940	1268	images.exe	171
PID 940 wrote to memory of 1968	940	cmd.exe	173
PID 940 wrote to memory of 1968	940	cmd.exe	173
PID 940 wrote to memory of 1968	940	cmd.exe	173
PID 940 wrote to memory of 1968	940	cmd.exe	173
PID 1268 wrote to memory of 1404	1268	images.exe	174
PID 1268 wrote to memory of 1404	1268	images.exe	174
PID 1268 wrote to memory of 1404	1268	images.exe	174
PID 1268 wrote to memory of 1404	1268	images.exe	174
PID 1404 wrote to memory of 1224	1404	cmd.exe	176
PID 1404 wrote to memory of 1224	1404	cmd.exe	176
PID 1404 wrote to memory of 1224	1404	cmd.exe	176
PID 1404 wrote to memory of 1224	1404	cmd.exe	176
PID 1268 wrote to memory of 1968	1268	images.exe	177
PID 1268 wrote to memory of 1968	1268	images.exe	177
PID 1268 wrote to memory of 1968	1268	images.exe	177
PID 1268 wrote to memory of 1968	1268	images.exe	177
PID 1968 wrote to memory of 1084	1968	cmd.exe	179
PID 1968 wrote to memory of 1084	1968	cmd.exe	179
PID 1968 wrote to memory of 1084	1968	cmd.exe	179
PID 1968 wrote to memory of 1084	1968	cmd.exe	179
PID 1268 wrote to memory of 2060	1268	images.exe	180
PID 1268 wrote to memory of 2060	1268	images.exe	180
PID 1268 wrote to memory of 2060	1268	images.exe	180
PID 1268 wrote to memory of 2060	1268	images.exe	180
PID 2060 wrote to memory of 2088	2060	cmd.exe	182
PID 2060 wrote to memory of 2088	2060	cmd.exe	182
PID 2060 wrote to memory of 2088	2060	cmd.exe	182
PID 2060 wrote to memory of 2088	2060	cmd.exe	182
PID 1268 wrote to memory of 2104	1268	images.exe	183
PID 1268 wrote to memory of 2104	1268	images.exe	183
PID 1268 wrote to memory of 2104	1268	images.exe	183
PID 1268 wrote to memory of 2104	1268	images.exe	183
PID 2104 wrote to memory of 2132	2104	cmd.exe	185
PID 2104 wrote to memory of 2132	2104	cmd.exe	185
PID 2104 wrote to memory of 2132	2104	cmd.exe	185
PID 2104 wrote to memory of 2132	2104	cmd.exe	185
PID 1268 wrote to memory of 2148	1268	images.exe	186
PID 1268 wrote to memory of 2148	1268	images.exe	186
PID 1268 wrote to memory of 2148	1268	images.exe	186
PID 1268 wrote to memory of 2148	1268	images.exe	186
PID 2148 wrote to memory of 2176	2148	cmd.exe	188
PID 2148 wrote to memory of 2176	2148	cmd.exe	188
PID 2148 wrote to memory of 2176	2148	cmd.exe	188
PID 2148 wrote to memory of 2176	2148	cmd.exe	188
PID 1268 wrote to memory of 2192	1268	images.exe	189
PID 1268 wrote to memory of 2192	1268	images.exe	189
PID 1268 wrote to memory of 2192	1268	images.exe	189
PID 1268 wrote to memory of 2192	1268	images.exe	189
PID 2192 wrote to memory of 2220	2192	cmd.exe	191
PID 2192 wrote to memory of 2220	2192	cmd.exe	191
PID 2192 wrote to memory of 2220	2192	cmd.exe	191
PID 2192 wrote to memory of 2220	2192	cmd.exe	191
PID 1268 wrote to memory of 2236	1268	images.exe	192
PID 1268 wrote to memory of 2236	1268	images.exe	192
PID 1268 wrote to memory of 2236	1268	images.exe	192
PID 1268 wrote to memory of 2236	1268	images.exe	192
PID 2236 wrote to memory of 2264	2236	cmd.exe	194
PID 2236 wrote to memory of 2264	2236	cmd.exe	194
PID 2236 wrote to memory of 2264	2236	cmd.exe	194
PID 2236 wrote to memory of 2264	2236	cmd.exe	194
PID 1268 wrote to memory of 2280	1268	images.exe	195
PID 1268 wrote to memory of 2280	1268	images.exe	195
PID 1268 wrote to memory of 2280	1268	images.exe	195
PID 1268 wrote to memory of 2280	1268	images.exe	195
PID 2280 wrote to memory of 2308	2280	cmd.exe	197
PID 2280 wrote to memory of 2308	2280	cmd.exe	197
PID 2280 wrote to memory of 2308	2280	cmd.exe	197
PID 2280 wrote to memory of 2308	2280	cmd.exe	197
PID 1268 wrote to memory of 2324	1268	images.exe	198
PID 1268 wrote to memory of 2324	1268	images.exe	198
PID 1268 wrote to memory of 2324	1268	images.exe	198
PID 1268 wrote to memory of 2324	1268	images.exe	198
PID 2324 wrote to memory of 2352	2324	cmd.exe	200
PID 2324 wrote to memory of 2352	2324	cmd.exe	200
PID 2324 wrote to memory of 2352	2324	cmd.exe	200
PID 2324 wrote to memory of 2352	2324	cmd.exe	200
PID 1268 wrote to memory of 2368	1268	images.exe	201
PID 1268 wrote to memory of 2368	1268	images.exe	201
PID 1268 wrote to memory of 2368	1268	images.exe	201
PID 1268 wrote to memory of 2368	1268	images.exe	201
PID 2368 wrote to memory of 2396	2368	cmd.exe	203
PID 2368 wrote to memory of 2396	2368	cmd.exe	203
PID 2368 wrote to memory of 2396	2368	cmd.exe	203
PID 2368 wrote to memory of 2396	2368	cmd.exe	203
PID 1268 wrote to memory of 2416	1268	images.exe	204
PID 1268 wrote to memory of 2416	1268	images.exe	204
PID 1268 wrote to memory of 2416	1268	images.exe	204
PID 1268 wrote to memory of 2416	1268	images.exe	204
PID 2416 wrote to memory of 2444	2416	cmd.exe	206
PID 2416 wrote to memory of 2444	2416	cmd.exe	206
PID 2416 wrote to memory of 2444	2416	cmd.exe	206
PID 2416 wrote to memory of 2444	2416	cmd.exe	206
PID 1268 wrote to memory of 2460	1268	images.exe	207
PID 1268 wrote to memory of 2460	1268	images.exe	207
PID 1268 wrote to memory of 2460	1268	images.exe	207
PID 1268 wrote to memory of 2460	1268	images.exe	207
PID 2460 wrote to memory of 2488	2460	cmd.exe	209
PID 2460 wrote to memory of 2488	2460	cmd.exe	209
PID 2460 wrote to memory of 2488	2460	cmd.exe	209
PID 2460 wrote to memory of 2488	2460	cmd.exe	209
PID 1268 wrote to memory of 2504	1268	images.exe	210
PID 1268 wrote to memory of 2504	1268	images.exe	210
PID 1268 wrote to memory of 2504	1268	images.exe	210
PID 1268 wrote to memory of 2504	1268	images.exe	210
PID 2504 wrote to memory of 2532	2504	cmd.exe	212
PID 2504 wrote to memory of 2532	2504	cmd.exe	212
PID 2504 wrote to memory of 2532	2504	cmd.exe	212
PID 2504 wrote to memory of 2532	2504	cmd.exe	212
PID 1268 wrote to memory of 2548	1268	images.exe	213
PID 1268 wrote to memory of 2548	1268	images.exe	213
PID 1268 wrote to memory of 2548	1268	images.exe	213
PID 1268 wrote to memory of 2548	1268	images.exe	213
PID 2548 wrote to memory of 2576	2548	cmd.exe	215
PID 2548 wrote to memory of 2576	2548	cmd.exe	215
PID 2548 wrote to memory of 2576	2548	cmd.exe	215
PID 2548 wrote to memory of 2576	2548	cmd.exe	215
PID 1268 wrote to memory of 2592	1268	images.exe	216
PID 1268 wrote to memory of 2592	1268	images.exe	216
PID 1268 wrote to memory of 2592	1268	images.exe	216
PID 1268 wrote to memory of 2592	1268	images.exe	216
PID 2592 wrote to memory of 2620	2592	cmd.exe	218
PID 2592 wrote to memory of 2620	2592	cmd.exe	218
PID 2592 wrote to memory of 2620	2592	cmd.exe	218
PID 2592 wrote to memory of 2620	2592	cmd.exe	218
PID 1268 wrote to memory of 2636	1268	images.exe	219
PID 1268 wrote to memory of 2636	1268	images.exe	219
PID 1268 wrote to memory of 2636	1268	images.exe	219
PID 1268 wrote to memory of 2636	1268	images.exe	219
PID 2636 wrote to memory of 2664	2636	cmd.exe	221
PID 2636 wrote to memory of 2664	2636	cmd.exe	221
PID 2636 wrote to memory of 2664	2636	cmd.exe	221
PID 2636 wrote to memory of 2664	2636	cmd.exe	221
PID 1268 wrote to memory of 2680	1268	images.exe	222
PID 1268 wrote to memory of 2680	1268	images.exe	222
PID 1268 wrote to memory of 2680	1268	images.exe	222
PID 1268 wrote to memory of 2680	1268	images.exe	222
PID 2680 wrote to memory of 2708	2680	cmd.exe	224
PID 2680 wrote to memory of 2708	2680	cmd.exe	224
PID 2680 wrote to memory of 2708	2680	cmd.exe	224
PID 2680 wrote to memory of 2708	2680	cmd.exe	224
PID 1268 wrote to memory of 2724	1268	images.exe	225
PID 1268 wrote to memory of 2724	1268	images.exe	225
PID 1268 wrote to memory of 2724	1268	images.exe	225
PID 1268 wrote to memory of 2724	1268	images.exe	225
PID 2724 wrote to memory of 2752	2724	cmd.exe	227
PID 2724 wrote to memory of 2752	2724	cmd.exe	227
PID 2724 wrote to memory of 2752	2724	cmd.exe	227
PID 2724 wrote to memory of 2752	2724	cmd.exe	227
PID 1268 wrote to memory of 2768	1268	images.exe	228
PID 1268 wrote to memory of 2768	1268	images.exe	228
PID 1268 wrote to memory of 2768	1268	images.exe	228
PID 1268 wrote to memory of 2768	1268	images.exe	228
PID 2768 wrote to memory of 2796	2768	cmd.exe	230
PID 2768 wrote to memory of 2796	2768	cmd.exe	230
PID 2768 wrote to memory of 2796	2768	cmd.exe	230
PID 2768 wrote to memory of 2796	2768	cmd.exe	230
PID 1268 wrote to memory of 2812	1268	images.exe	231
PID 1268 wrote to memory of 2812	1268	images.exe	231
PID 1268 wrote to memory of 2812	1268	images.exe	231
PID 1268 wrote to memory of 2812	1268	images.exe	231
PID 2812 wrote to memory of 2840	2812	cmd.exe	233
PID 2812 wrote to memory of 2840	2812	cmd.exe	233
PID 2812 wrote to memory of 2840	2812	cmd.exe	233
PID 2812 wrote to memory of 2840	2812	cmd.exe	233
PID 1268 wrote to memory of 2856	1268	images.exe	234
PID 1268 wrote to memory of 2856	1268	images.exe	234
PID 1268 wrote to memory of 2856	1268	images.exe	234
PID 1268 wrote to memory of 2856	1268	images.exe	234
PID 2856 wrote to memory of 2884	2856	cmd.exe	236
PID 2856 wrote to memory of 2884	2856	cmd.exe	236
PID 2856 wrote to memory of 2884	2856	cmd.exe	236
PID 2856 wrote to memory of 2884	2856	cmd.exe	236
PID 1268 wrote to memory of 2900	1268	images.exe	237
PID 1268 wrote to memory of 2900	1268	images.exe	237
PID 1268 wrote to memory of 2900	1268	images.exe	237
PID 1268 wrote to memory of 2900	1268	images.exe	237
PID 2900 wrote to memory of 2928	2900	cmd.exe	239
PID 2900 wrote to memory of 2928	2900	cmd.exe	239
PID 2900 wrote to memory of 2928	2900	cmd.exe	239
PID 2900 wrote to memory of 2928	2900	cmd.exe	239
PID 1268 wrote to memory of 2944	1268	images.exe	240
PID 1268 wrote to memory of 2944	1268	images.exe	240
PID 1268 wrote to memory of 2944	1268	images.exe	240
PID 1268 wrote to memory of 2944	1268	images.exe	240
PID 2944 wrote to memory of 2972	2944	cmd.exe	242
PID 2944 wrote to memory of 2972	2944	cmd.exe	242
PID 2944 wrote to memory of 2972	2944	cmd.exe	242
PID 2944 wrote to memory of 2972	2944	cmd.exe	242
PID 1268 wrote to memory of 2988	1268	images.exe	243
PID 1268 wrote to memory of 2988	1268	images.exe	243
PID 1268 wrote to memory of 2988	1268	images.exe	243
PID 1268 wrote to memory of 2988	1268	images.exe	243
PID 2988 wrote to memory of 3016	2988	cmd.exe	245
PID 2988 wrote to memory of 3016	2988	cmd.exe	245
PID 2988 wrote to memory of 3016	2988	cmd.exe	245
PID 2988 wrote to memory of 3016	2988	cmd.exe	245
PID 1268 wrote to memory of 3032	1268	images.exe	246
PID 1268 wrote to memory of 3032	1268	images.exe	246
PID 1268 wrote to memory of 3032	1268	images.exe	246
PID 1268 wrote to memory of 3032	1268	images.exe	246
PID 3032 wrote to memory of 3060	3032	cmd.exe	248
PID 3032 wrote to memory of 3060	3032	cmd.exe	248
PID 3032 wrote to memory of 3060	3032	cmd.exe	248
PID 3032 wrote to memory of 3060	3032	cmd.exe	248
PID 1268 wrote to memory of 1680	1268	images.exe	249
PID 1268 wrote to memory of 1680	1268	images.exe	249
PID 1268 wrote to memory of 1680	1268	images.exe	249
PID 1268 wrote to memory of 1680	1268	images.exe	249
PID 1680 wrote to memory of 2076	1680	cmd.exe	251
PID 1680 wrote to memory of 2076	1680	cmd.exe	251
PID 1680 wrote to memory of 2076	1680	cmd.exe	251
PID 1680 wrote to memory of 2076	1680	cmd.exe	251
PID 1268 wrote to memory of 2084	1268	images.exe	252
PID 1268 wrote to memory of 2084	1268	images.exe	252
PID 1268 wrote to memory of 2084	1268	images.exe	252
PID 1268 wrote to memory of 2084	1268	images.exe	252
PID 2084 wrote to memory of 2136	2084	cmd.exe	254
PID 2084 wrote to memory of 2136	2084	cmd.exe	254
PID 2084 wrote to memory of 2136	2084	cmd.exe	254
PID 2084 wrote to memory of 2136	2084	cmd.exe	254
PID 1268 wrote to memory of 2124	1268	images.exe	255
PID 1268 wrote to memory of 2124	1268	images.exe	255
PID 1268 wrote to memory of 2124	1268	images.exe	255
PID 1268 wrote to memory of 2124	1268	images.exe	255
PID 2124 wrote to memory of 2168	2124	cmd.exe	257
PID 2124 wrote to memory of 2168	2124	cmd.exe	257
PID 2124 wrote to memory of 2168	2124	cmd.exe	257
PID 2124 wrote to memory of 2168	2124	cmd.exe	257
PID 1268 wrote to memory of 1604	1268	images.exe	258
PID 1268 wrote to memory of 1604	1268	images.exe	258
PID 1268 wrote to memory of 1604	1268	images.exe	258
PID 1268 wrote to memory of 1604	1268	images.exe	258
PID 1604 wrote to memory of 2196	1604	cmd.exe	260
PID 1604 wrote to memory of 2196	1604	cmd.exe	260
PID 1604 wrote to memory of 2196	1604	cmd.exe	260
PID 1604 wrote to memory of 2196	1604	cmd.exe	260
PID 1268 wrote to memory of 2244	1268	images.exe	261
PID 1268 wrote to memory of 2244	1268	images.exe	261
PID 1268 wrote to memory of 2244	1268	images.exe	261
PID 1268 wrote to memory of 2244	1268	images.exe	261
PID 2244 wrote to memory of 2256	2244	cmd.exe	263
PID 2244 wrote to memory of 2256	2244	cmd.exe	263
PID 2244 wrote to memory of 2256	2244	cmd.exe	263
PID 2244 wrote to memory of 2256	2244	cmd.exe	263
PID 1268 wrote to memory of 268	1268	images.exe	264
PID 1268 wrote to memory of 268	1268	images.exe	264
PID 1268 wrote to memory of 268	1268	images.exe	264
PID 1268 wrote to memory of 268	1268	images.exe	264
PID 268 wrote to memory of 2292	268	cmd.exe	266
PID 268 wrote to memory of 2292	268	cmd.exe	266
PID 268 wrote to memory of 2292	268	cmd.exe	266
PID 268 wrote to memory of 2292	268	cmd.exe	266
PID 1268 wrote to memory of 2356	1268	images.exe	267
PID 1268 wrote to memory of 2356	1268	images.exe	267
PID 1268 wrote to memory of 2356	1268	images.exe	267
PID 1268 wrote to memory of 2356	1268	images.exe	267
PID 2356 wrote to memory of 2376	2356	cmd.exe	269
PID 2356 wrote to memory of 2376	2356	cmd.exe	269
PID 2356 wrote to memory of 2376	2356	cmd.exe	269
PID 2356 wrote to memory of 2376	2356	cmd.exe	269
PID 1268 wrote to memory of 2396	1268	images.exe	270
PID 1268 wrote to memory of 2396	1268	images.exe	270
PID 1268 wrote to memory of 2396	1268	images.exe	270
PID 1268 wrote to memory of 2396	1268	images.exe	270
PID 2396 wrote to memory of 2432	2396	cmd.exe	272
PID 2396 wrote to memory of 2432	2396	cmd.exe	272
PID 2396 wrote to memory of 2432	2396	cmd.exe	272
PID 2396 wrote to memory of 2432	2396	cmd.exe	272

C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe
"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe" "C:\Users\Admin\AppData\Roaming\system\images.exe"
  2⤵
  PID:1448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\system\images.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Roaming\system\images.exe
    "C:\Users\Admin\AppData\Roaming\system\images.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1900
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1220
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1864
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2012
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:960
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1460
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1724
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1004
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1236
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:832
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1908
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1396
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1596
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1704
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1124
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:820
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1272
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1428
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1112
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:936
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1692
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:884
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1944
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1324
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1732
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1784
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:452
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:684
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1740
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1576
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:108
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1688
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:560
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1132
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:912
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:908
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1676
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1504
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1892
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1984
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1520
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1972
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1980
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2004
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1460
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:864
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:108
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1584
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1860
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1032
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1612
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1588
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:916
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:940
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1404
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1224
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1968
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2060
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2104
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2148
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2192
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2236
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2324
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2368
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2396
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2416
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2460
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2504
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2548
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2636
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2664
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2680
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2724
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2768
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2812
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2900
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2944
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2988
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:3032
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1680
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2084
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2124
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1604
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2244
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:268
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2356
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2396
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-0-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/844-4-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/844-3-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/844-1-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1220-33-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/1220-32-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1220-31-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1220-28-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1268-15-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/1268-23-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/1268-17-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download