4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72

Resubmissions

07-07-2022 07:38

220707-jgnwpafbfn 10

02-11-2020 14:43

201102-qmzdv5yy92 8

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
02-11-2020 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Booking Confirmation591773251.exe
Size

926KB
MD5

d36537604871b3550a9c5c635c37a601
SHA1

a5360105e7b4d5316c88e5403013dd395c1ab145
SHA256

4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72
SHA512

8b0c31bae27b95ee726fb77a2e0c6b82e599f73ad93d0fcf8c853cca2daf285796d0175ea1d5e0cfb3a40d5b80958a6c1d821b10eb241cba95a7c909ffe04df9

Score

8^/10

persistence spyware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3944	images.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 190 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3944 set thread context of 2072	3944	images.exe	86

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2072	InstallUtil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3944	images.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	Booking Confirmation591773251.exe
Token: SeDebugPrivilege	3944	images.exe
Token: SeDebugPrivilege	2072	InstallUtil.exe

Suspicious use of WriteProcessMemory 588 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1044	1304	Booking Confirmation591773251.exe	78
PID 1304 wrote to memory of 1044	1304	Booking Confirmation591773251.exe	78
PID 1304 wrote to memory of 1044	1304	Booking Confirmation591773251.exe	78
PID 1304 wrote to memory of 564	1304	Booking Confirmation591773251.exe	80
PID 1304 wrote to memory of 564	1304	Booking Confirmation591773251.exe	80
PID 1304 wrote to memory of 564	1304	Booking Confirmation591773251.exe	80
PID 564 wrote to memory of 3944	564	cmd.exe	82
PID 564 wrote to memory of 3944	564	cmd.exe	82
PID 564 wrote to memory of 3944	564	cmd.exe	82
PID 3944 wrote to memory of 2164	3944	images.exe	83
PID 3944 wrote to memory of 2164	3944	images.exe	83
PID 3944 wrote to memory of 2164	3944	images.exe	83
PID 2164 wrote to memory of 3672	2164	cmd.exe	85
PID 2164 wrote to memory of 3672	2164	cmd.exe	85
PID 2164 wrote to memory of 3672	2164	cmd.exe	85
PID 3944 wrote to memory of 2072	3944	images.exe	86
PID 3944 wrote to memory of 2072	3944	images.exe	86
PID 3944 wrote to memory of 2072	3944	images.exe	86
PID 3944 wrote to memory of 2184	3944	images.exe	87
PID 3944 wrote to memory of 2184	3944	images.exe	87
PID 3944 wrote to memory of 2184	3944	images.exe	87
PID 3944 wrote to memory of 2072	3944	images.exe	86
PID 3944 wrote to memory of 2072	3944	images.exe	86
PID 3944 wrote to memory of 2072	3944	images.exe	86
PID 3944 wrote to memory of 2072	3944	images.exe	86
PID 3944 wrote to memory of 2072	3944	images.exe	86
PID 3944 wrote to memory of 2072	3944	images.exe	86
PID 2184 wrote to memory of 2648	2184	cmd.exe	89
PID 2184 wrote to memory of 2648	2184	cmd.exe	89
PID 2184 wrote to memory of 2648	2184	cmd.exe	89
PID 3944 wrote to memory of 1836	3944	images.exe	90
PID 3944 wrote to memory of 1836	3944	images.exe	90
PID 3944 wrote to memory of 1836	3944	images.exe	90
PID 1836 wrote to memory of 988	1836	cmd.exe	92
PID 1836 wrote to memory of 988	1836	cmd.exe	92
PID 1836 wrote to memory of 988	1836	cmd.exe	92
PID 3944 wrote to memory of 2084	3944	images.exe	93
PID 3944 wrote to memory of 2084	3944	images.exe	93
PID 3944 wrote to memory of 2084	3944	images.exe	93
PID 2084 wrote to memory of 692	2084	cmd.exe	95
PID 2084 wrote to memory of 692	2084	cmd.exe	95
PID 2084 wrote to memory of 692	2084	cmd.exe	95
PID 3944 wrote to memory of 3040	3944	images.exe	96
PID 3944 wrote to memory of 3040	3944	images.exe	96
PID 3944 wrote to memory of 3040	3944	images.exe	96
PID 3040 wrote to memory of 1368	3040	cmd.exe	98
PID 3040 wrote to memory of 1368	3040	cmd.exe	98
PID 3040 wrote to memory of 1368	3040	cmd.exe	98
PID 3944 wrote to memory of 3828	3944	images.exe	99
PID 3944 wrote to memory of 3828	3944	images.exe	99
PID 3944 wrote to memory of 3828	3944	images.exe	99
PID 3828 wrote to memory of 1444	3828	cmd.exe	101
PID 3828 wrote to memory of 1444	3828	cmd.exe	101
PID 3828 wrote to memory of 1444	3828	cmd.exe	101
PID 3944 wrote to memory of 2944	3944	images.exe	103
PID 3944 wrote to memory of 2944	3944	images.exe	103
PID 3944 wrote to memory of 2944	3944	images.exe	103
PID 2944 wrote to memory of 792	2944	cmd.exe	105
PID 2944 wrote to memory of 792	2944	cmd.exe	105
PID 2944 wrote to memory of 792	2944	cmd.exe	105
PID 3944 wrote to memory of 3680	3944	images.exe	106
PID 3944 wrote to memory of 3680	3944	images.exe	106
PID 3944 wrote to memory of 3680	3944	images.exe	106
PID 3680 wrote to memory of 3668	3680	cmd.exe	108
PID 3680 wrote to memory of 3668	3680	cmd.exe	108
PID 3680 wrote to memory of 3668	3680	cmd.exe	108
PID 3944 wrote to memory of 1704	3944	images.exe	109
PID 3944 wrote to memory of 1704	3944	images.exe	109
PID 3944 wrote to memory of 1704	3944	images.exe	109
PID 1704 wrote to memory of 812	1704	cmd.exe	111
PID 1704 wrote to memory of 812	1704	cmd.exe	111
PID 1704 wrote to memory of 812	1704	cmd.exe	111
PID 3944 wrote to memory of 796	3944	images.exe	112
PID 3944 wrote to memory of 796	3944	images.exe	112
PID 3944 wrote to memory of 796	3944	images.exe	112
PID 796 wrote to memory of 1308	796	cmd.exe	114
PID 796 wrote to memory of 1308	796	cmd.exe	114
PID 796 wrote to memory of 1308	796	cmd.exe	114
PID 3944 wrote to memory of 2552	3944	images.exe	115
PID 3944 wrote to memory of 2552	3944	images.exe	115
PID 3944 wrote to memory of 2552	3944	images.exe	115
PID 2552 wrote to memory of 3424	2552	cmd.exe	117
PID 2552 wrote to memory of 3424	2552	cmd.exe	117
PID 2552 wrote to memory of 3424	2552	cmd.exe	117
PID 3944 wrote to memory of 2096	3944	images.exe	118
PID 3944 wrote to memory of 2096	3944	images.exe	118
PID 3944 wrote to memory of 2096	3944	images.exe	118
PID 2096 wrote to memory of 416	2096	cmd.exe	120
PID 2096 wrote to memory of 416	2096	cmd.exe	120
PID 2096 wrote to memory of 416	2096	cmd.exe	120
PID 3944 wrote to memory of 372	3944	images.exe	121
PID 3944 wrote to memory of 372	3944	images.exe	121
PID 3944 wrote to memory of 372	3944	images.exe	121
PID 372 wrote to memory of 1728	372	cmd.exe	123
PID 372 wrote to memory of 1728	372	cmd.exe	123
PID 372 wrote to memory of 1728	372	cmd.exe	123
PID 3944 wrote to memory of 808	3944	images.exe	124
PID 3944 wrote to memory of 808	3944	images.exe	124
PID 3944 wrote to memory of 808	3944	images.exe	124
PID 808 wrote to memory of 3396	808	cmd.exe	126
PID 808 wrote to memory of 3396	808	cmd.exe	126
PID 808 wrote to memory of 3396	808	cmd.exe	126
PID 3944 wrote to memory of 1620	3944	images.exe	127
PID 3944 wrote to memory of 1620	3944	images.exe	127
PID 3944 wrote to memory of 1620	3944	images.exe	127
PID 1620 wrote to memory of 3784	1620	cmd.exe	129
PID 1620 wrote to memory of 3784	1620	cmd.exe	129
PID 1620 wrote to memory of 3784	1620	cmd.exe	129
PID 3944 wrote to memory of 2328	3944	images.exe	130
PID 3944 wrote to memory of 2328	3944	images.exe	130
PID 3944 wrote to memory of 2328	3944	images.exe	130
PID 2328 wrote to memory of 1716	2328	cmd.exe	132
PID 2328 wrote to memory of 1716	2328	cmd.exe	132
PID 2328 wrote to memory of 1716	2328	cmd.exe	132
PID 3944 wrote to memory of 1420	3944	images.exe	133
PID 3944 wrote to memory of 1420	3944	images.exe	133
PID 3944 wrote to memory of 1420	3944	images.exe	133
PID 1420 wrote to memory of 2796	1420	cmd.exe	135
PID 1420 wrote to memory of 2796	1420	cmd.exe	135
PID 1420 wrote to memory of 2796	1420	cmd.exe	135
PID 3944 wrote to memory of 2520	3944	images.exe	136
PID 3944 wrote to memory of 2520	3944	images.exe	136
PID 3944 wrote to memory of 2520	3944	images.exe	136
PID 2520 wrote to memory of 4040	2520	cmd.exe	138
PID 2520 wrote to memory of 4040	2520	cmd.exe	138
PID 2520 wrote to memory of 4040	2520	cmd.exe	138
PID 3944 wrote to memory of 2144	3944	images.exe	139
PID 3944 wrote to memory of 2144	3944	images.exe	139
PID 3944 wrote to memory of 2144	3944	images.exe	139
PID 2144 wrote to memory of 3488	2144	cmd.exe	141
PID 2144 wrote to memory of 3488	2144	cmd.exe	141
PID 2144 wrote to memory of 3488	2144	cmd.exe	141
PID 3944 wrote to memory of 976	3944	images.exe	142
PID 3944 wrote to memory of 976	3944	images.exe	142
PID 3944 wrote to memory of 976	3944	images.exe	142
PID 976 wrote to memory of 1320	976	cmd.exe	144
PID 976 wrote to memory of 1320	976	cmd.exe	144
PID 976 wrote to memory of 1320	976	cmd.exe	144
PID 3944 wrote to memory of 2500	3944	images.exe	145
PID 3944 wrote to memory of 2500	3944	images.exe	145
PID 3944 wrote to memory of 2500	3944	images.exe	145
PID 2500 wrote to memory of 2292	2500	cmd.exe	147
PID 2500 wrote to memory of 2292	2500	cmd.exe	147
PID 2500 wrote to memory of 2292	2500	cmd.exe	147
PID 3944 wrote to memory of 2564	3944	images.exe	148
PID 3944 wrote to memory of 2564	3944	images.exe	148
PID 3944 wrote to memory of 2564	3944	images.exe	148
PID 2564 wrote to memory of 2276	2564	cmd.exe	150
PID 2564 wrote to memory of 2276	2564	cmd.exe	150
PID 2564 wrote to memory of 2276	2564	cmd.exe	150
PID 3944 wrote to memory of 728	3944	images.exe	151
PID 3944 wrote to memory of 728	3944	images.exe	151
PID 3944 wrote to memory of 728	3944	images.exe	151
PID 728 wrote to memory of 3692	728	cmd.exe	153
PID 728 wrote to memory of 3692	728	cmd.exe	153
PID 728 wrote to memory of 3692	728	cmd.exe	153
PID 3944 wrote to memory of 2136	3944	images.exe	154
PID 3944 wrote to memory of 2136	3944	images.exe	154
PID 3944 wrote to memory of 2136	3944	images.exe	154
PID 2136 wrote to memory of 968	2136	cmd.exe	156
PID 2136 wrote to memory of 968	2136	cmd.exe	156
PID 2136 wrote to memory of 968	2136	cmd.exe	156
PID 3944 wrote to memory of 1048	3944	images.exe	157
PID 3944 wrote to memory of 1048	3944	images.exe	157
PID 3944 wrote to memory of 1048	3944	images.exe	157
PID 1048 wrote to memory of 1520	1048	cmd.exe	159
PID 1048 wrote to memory of 1520	1048	cmd.exe	159
PID 1048 wrote to memory of 1520	1048	cmd.exe	159
PID 3944 wrote to memory of 1572	3944	images.exe	160
PID 3944 wrote to memory of 1572	3944	images.exe	160
PID 3944 wrote to memory of 1572	3944	images.exe	160
PID 1572 wrote to memory of 3928	1572	cmd.exe	162
PID 1572 wrote to memory of 3928	1572	cmd.exe	162
PID 1572 wrote to memory of 3928	1572	cmd.exe	162
PID 3944 wrote to memory of 3656	3944	images.exe	163
PID 3944 wrote to memory of 3656	3944	images.exe	163
PID 3944 wrote to memory of 3656	3944	images.exe	163
PID 3656 wrote to memory of 552	3656	cmd.exe	165
PID 3656 wrote to memory of 552	3656	cmd.exe	165
PID 3656 wrote to memory of 552	3656	cmd.exe	165
PID 3944 wrote to memory of 980	3944	images.exe	166
PID 3944 wrote to memory of 980	3944	images.exe	166
PID 3944 wrote to memory of 980	3944	images.exe	166
PID 980 wrote to memory of 3600	980	cmd.exe	168
PID 980 wrote to memory of 3600	980	cmd.exe	168
PID 980 wrote to memory of 3600	980	cmd.exe	168
PID 3944 wrote to memory of 1392	3944	images.exe	169
PID 3944 wrote to memory of 1392	3944	images.exe	169
PID 3944 wrote to memory of 1392	3944	images.exe	169
PID 1392 wrote to memory of 1268	1392	cmd.exe	171
PID 1392 wrote to memory of 1268	1392	cmd.exe	171
PID 1392 wrote to memory of 1268	1392	cmd.exe	171
PID 3944 wrote to memory of 1640	3944	images.exe	172
PID 3944 wrote to memory of 1640	3944	images.exe	172
PID 3944 wrote to memory of 1640	3944	images.exe	172
PID 1640 wrote to memory of 3140	1640	cmd.exe	174
PID 1640 wrote to memory of 3140	1640	cmd.exe	174
PID 1640 wrote to memory of 3140	1640	cmd.exe	174
PID 3944 wrote to memory of 1120	3944	images.exe	175
PID 3944 wrote to memory of 1120	3944	images.exe	175
PID 3944 wrote to memory of 1120	3944	images.exe	175
PID 1120 wrote to memory of 1056	1120	cmd.exe	177
PID 1120 wrote to memory of 1056	1120	cmd.exe	177
PID 1120 wrote to memory of 1056	1120	cmd.exe	177
PID 3944 wrote to memory of 1424	3944	images.exe	178
PID 3944 wrote to memory of 1424	3944	images.exe	178
PID 3944 wrote to memory of 1424	3944	images.exe	178
PID 1424 wrote to memory of 1784	1424	cmd.exe	180
PID 1424 wrote to memory of 1784	1424	cmd.exe	180
PID 1424 wrote to memory of 1784	1424	cmd.exe	180
PID 3944 wrote to memory of 560	3944	images.exe	181
PID 3944 wrote to memory of 560	3944	images.exe	181
PID 3944 wrote to memory of 560	3944	images.exe	181
PID 560 wrote to memory of 3956	560	cmd.exe	183
PID 560 wrote to memory of 3956	560	cmd.exe	183
PID 560 wrote to memory of 3956	560	cmd.exe	183
PID 3944 wrote to memory of 2732	3944	images.exe	184
PID 3944 wrote to memory of 2732	3944	images.exe	184
PID 3944 wrote to memory of 2732	3944	images.exe	184
PID 2732 wrote to memory of 2880	2732	cmd.exe	186
PID 2732 wrote to memory of 2880	2732	cmd.exe	186
PID 2732 wrote to memory of 2880	2732	cmd.exe	186
PID 3944 wrote to memory of 2524	3944	images.exe	187
PID 3944 wrote to memory of 2524	3944	images.exe	187
PID 3944 wrote to memory of 2524	3944	images.exe	187
PID 2524 wrote to memory of 2800	2524	cmd.exe	189
PID 2524 wrote to memory of 2800	2524	cmd.exe	189
PID 2524 wrote to memory of 2800	2524	cmd.exe	189
PID 3944 wrote to memory of 1844	3944	images.exe	190
PID 3944 wrote to memory of 1844	3944	images.exe	190
PID 3944 wrote to memory of 1844	3944	images.exe	190
PID 1844 wrote to memory of 1128	1844	cmd.exe	192
PID 1844 wrote to memory of 1128	1844	cmd.exe	192
PID 1844 wrote to memory of 1128	1844	cmd.exe	192
PID 3944 wrote to memory of 1796	3944	images.exe	193
PID 3944 wrote to memory of 1796	3944	images.exe	193
PID 3944 wrote to memory of 1796	3944	images.exe	193
PID 1796 wrote to memory of 2464	1796	cmd.exe	195
PID 1796 wrote to memory of 2464	1796	cmd.exe	195
PID 1796 wrote to memory of 2464	1796	cmd.exe	195
PID 3944 wrote to memory of 188	3944	images.exe	196
PID 3944 wrote to memory of 188	3944	images.exe	196
PID 3944 wrote to memory of 188	3944	images.exe	196
PID 188 wrote to memory of 2280	188	cmd.exe	198
PID 188 wrote to memory of 2280	188	cmd.exe	198
PID 188 wrote to memory of 2280	188	cmd.exe	198
PID 3944 wrote to memory of 4120	3944	images.exe	199
PID 3944 wrote to memory of 4120	3944	images.exe	199
PID 3944 wrote to memory of 4120	3944	images.exe	199
PID 4120 wrote to memory of 4164	4120	cmd.exe	201
PID 4120 wrote to memory of 4164	4120	cmd.exe	201
PID 4120 wrote to memory of 4164	4120	cmd.exe	201
PID 3944 wrote to memory of 4188	3944	images.exe	202
PID 3944 wrote to memory of 4188	3944	images.exe	202
PID 3944 wrote to memory of 4188	3944	images.exe	202
PID 4188 wrote to memory of 4232	4188	cmd.exe	204
PID 4188 wrote to memory of 4232	4188	cmd.exe	204
PID 4188 wrote to memory of 4232	4188	cmd.exe	204
PID 3944 wrote to memory of 4256	3944	images.exe	205
PID 3944 wrote to memory of 4256	3944	images.exe	205
PID 3944 wrote to memory of 4256	3944	images.exe	205
PID 4256 wrote to memory of 4300	4256	cmd.exe	207
PID 4256 wrote to memory of 4300	4256	cmd.exe	207
PID 4256 wrote to memory of 4300	4256	cmd.exe	207
PID 3944 wrote to memory of 4324	3944	images.exe	208
PID 3944 wrote to memory of 4324	3944	images.exe	208
PID 3944 wrote to memory of 4324	3944	images.exe	208
PID 4324 wrote to memory of 4368	4324	cmd.exe	210
PID 4324 wrote to memory of 4368	4324	cmd.exe	210
PID 4324 wrote to memory of 4368	4324	cmd.exe	210
PID 3944 wrote to memory of 4392	3944	images.exe	211
PID 3944 wrote to memory of 4392	3944	images.exe	211
PID 3944 wrote to memory of 4392	3944	images.exe	211
PID 4392 wrote to memory of 4436	4392	cmd.exe	213
PID 4392 wrote to memory of 4436	4392	cmd.exe	213
PID 4392 wrote to memory of 4436	4392	cmd.exe	213
PID 3944 wrote to memory of 4460	3944	images.exe	214
PID 3944 wrote to memory of 4460	3944	images.exe	214
PID 3944 wrote to memory of 4460	3944	images.exe	214
PID 4460 wrote to memory of 4504	4460	cmd.exe	216
PID 4460 wrote to memory of 4504	4460	cmd.exe	216
PID 4460 wrote to memory of 4504	4460	cmd.exe	216
PID 3944 wrote to memory of 4528	3944	images.exe	217
PID 3944 wrote to memory of 4528	3944	images.exe	217
PID 3944 wrote to memory of 4528	3944	images.exe	217
PID 4528 wrote to memory of 4572	4528	cmd.exe	219
PID 4528 wrote to memory of 4572	4528	cmd.exe	219
PID 4528 wrote to memory of 4572	4528	cmd.exe	219
PID 3944 wrote to memory of 4596	3944	images.exe	220
PID 3944 wrote to memory of 4596	3944	images.exe	220
PID 3944 wrote to memory of 4596	3944	images.exe	220
PID 4596 wrote to memory of 4640	4596	cmd.exe	222
PID 4596 wrote to memory of 4640	4596	cmd.exe	222
PID 4596 wrote to memory of 4640	4596	cmd.exe	222
PID 3944 wrote to memory of 4664	3944	images.exe	223
PID 3944 wrote to memory of 4664	3944	images.exe	223
PID 3944 wrote to memory of 4664	3944	images.exe	223
PID 4664 wrote to memory of 4708	4664	cmd.exe	225
PID 4664 wrote to memory of 4708	4664	cmd.exe	225
PID 4664 wrote to memory of 4708	4664	cmd.exe	225
PID 3944 wrote to memory of 4732	3944	images.exe	226
PID 3944 wrote to memory of 4732	3944	images.exe	226
PID 3944 wrote to memory of 4732	3944	images.exe	226
PID 4732 wrote to memory of 4776	4732	cmd.exe	228
PID 4732 wrote to memory of 4776	4732	cmd.exe	228
PID 4732 wrote to memory of 4776	4732	cmd.exe	228
PID 3944 wrote to memory of 4800	3944	images.exe	229
PID 3944 wrote to memory of 4800	3944	images.exe	229
PID 3944 wrote to memory of 4800	3944	images.exe	229
PID 4800 wrote to memory of 4844	4800	cmd.exe	231
PID 4800 wrote to memory of 4844	4800	cmd.exe	231
PID 4800 wrote to memory of 4844	4800	cmd.exe	231
PID 3944 wrote to memory of 4868	3944	images.exe	232
PID 3944 wrote to memory of 4868	3944	images.exe	232
PID 3944 wrote to memory of 4868	3944	images.exe	232
PID 4868 wrote to memory of 4912	4868	cmd.exe	234
PID 4868 wrote to memory of 4912	4868	cmd.exe	234
PID 4868 wrote to memory of 4912	4868	cmd.exe	234
PID 3944 wrote to memory of 4936	3944	images.exe	235
PID 3944 wrote to memory of 4936	3944	images.exe	235
PID 3944 wrote to memory of 4936	3944	images.exe	235
PID 4936 wrote to memory of 4980	4936	cmd.exe	237
PID 4936 wrote to memory of 4980	4936	cmd.exe	237
PID 4936 wrote to memory of 4980	4936	cmd.exe	237
PID 3944 wrote to memory of 5004	3944	images.exe	238
PID 3944 wrote to memory of 5004	3944	images.exe	238
PID 3944 wrote to memory of 5004	3944	images.exe	238
PID 5004 wrote to memory of 5048	5004	cmd.exe	240
PID 5004 wrote to memory of 5048	5004	cmd.exe	240
PID 5004 wrote to memory of 5048	5004	cmd.exe	240
PID 3944 wrote to memory of 5072	3944	images.exe	241
PID 3944 wrote to memory of 5072	3944	images.exe	241
PID 3944 wrote to memory of 5072	3944	images.exe	241
PID 5072 wrote to memory of 5116	5072	cmd.exe	243
PID 5072 wrote to memory of 5116	5072	cmd.exe	243
PID 5072 wrote to memory of 5116	5072	cmd.exe	243
PID 3944 wrote to memory of 2152	3944	images.exe	244
PID 3944 wrote to memory of 2152	3944	images.exe	244
PID 3944 wrote to memory of 2152	3944	images.exe	244
PID 2152 wrote to memory of 4180	2152	cmd.exe	246
PID 2152 wrote to memory of 4180	2152	cmd.exe	246
PID 2152 wrote to memory of 4180	2152	cmd.exe	246
PID 3944 wrote to memory of 4144	3944	images.exe	247
PID 3944 wrote to memory of 4144	3944	images.exe	247
PID 3944 wrote to memory of 4144	3944	images.exe	247
PID 4144 wrote to memory of 4216	4144	cmd.exe	249
PID 4144 wrote to memory of 4216	4144	cmd.exe	249
PID 4144 wrote to memory of 4216	4144	cmd.exe	249
PID 3944 wrote to memory of 4200	3944	images.exe	250
PID 3944 wrote to memory of 4200	3944	images.exe	250
PID 3944 wrote to memory of 4200	3944	images.exe	250
PID 4200 wrote to memory of 4280	4200	cmd.exe	252
PID 4200 wrote to memory of 4280	4200	cmd.exe	252
PID 4200 wrote to memory of 4280	4200	cmd.exe	252
PID 3944 wrote to memory of 4340	3944	images.exe	253
PID 3944 wrote to memory of 4340	3944	images.exe	253
PID 3944 wrote to memory of 4340	3944	images.exe	253
PID 4340 wrote to memory of 4344	4340	cmd.exe	255
PID 4340 wrote to memory of 4344	4340	cmd.exe	255
PID 4340 wrote to memory of 4344	4340	cmd.exe	255
PID 3944 wrote to memory of 4448	3944	images.exe	256
PID 3944 wrote to memory of 4448	3944	images.exe	256
PID 3944 wrote to memory of 4448	3944	images.exe	256
PID 4448 wrote to memory of 4476	4448	cmd.exe	258
PID 4448 wrote to memory of 4476	4448	cmd.exe	258
PID 4448 wrote to memory of 4476	4448	cmd.exe	258
PID 3944 wrote to memory of 4500	3944	images.exe	259
PID 3944 wrote to memory of 4500	3944	images.exe	259
PID 3944 wrote to memory of 4500	3944	images.exe	259
PID 4500 wrote to memory of 4584	4500	cmd.exe	261
PID 4500 wrote to memory of 4584	4500	cmd.exe	261
PID 4500 wrote to memory of 4584	4500	cmd.exe	261
PID 3944 wrote to memory of 4552	3944	images.exe	262
PID 3944 wrote to memory of 4552	3944	images.exe	262
PID 3944 wrote to memory of 4552	3944	images.exe	262
PID 4552 wrote to memory of 4636	4552	cmd.exe	264
PID 4552 wrote to memory of 4636	4552	cmd.exe	264
PID 4552 wrote to memory of 4636	4552	cmd.exe	264
PID 3944 wrote to memory of 4608	3944	images.exe	265
PID 3944 wrote to memory of 4608	3944	images.exe	265
PID 3944 wrote to memory of 4608	3944	images.exe	265
PID 4608 wrote to memory of 4684	4608	cmd.exe	267
PID 4608 wrote to memory of 4684	4608	cmd.exe	267
PID 4608 wrote to memory of 4684	4608	cmd.exe	267
PID 3944 wrote to memory of 4784	3944	images.exe	268
PID 3944 wrote to memory of 4784	3944	images.exe	268
PID 3944 wrote to memory of 4784	3944	images.exe	268
PID 4784 wrote to memory of 4744	4784	cmd.exe	270
PID 4784 wrote to memory of 4744	4784	cmd.exe	270
PID 4784 wrote to memory of 4744	4784	cmd.exe	270
PID 3944 wrote to memory of 4848	3944	images.exe	271
PID 3944 wrote to memory of 4848	3944	images.exe	271
PID 3944 wrote to memory of 4848	3944	images.exe	271
PID 4848 wrote to memory of 4884	4848	cmd.exe	273
PID 4848 wrote to memory of 4884	4848	cmd.exe	273
PID 4848 wrote to memory of 4884	4848	cmd.exe	273
PID 3944 wrote to memory of 4908	3944	images.exe	274
PID 3944 wrote to memory of 4908	3944	images.exe	274
PID 3944 wrote to memory of 4908	3944	images.exe	274
PID 4908 wrote to memory of 4992	4908	cmd.exe	276
PID 4908 wrote to memory of 4992	4908	cmd.exe	276
PID 4908 wrote to memory of 4992	4908	cmd.exe	276
PID 3944 wrote to memory of 4956	3944	images.exe	277
PID 3944 wrote to memory of 4956	3944	images.exe	277
PID 3944 wrote to memory of 4956	3944	images.exe	277
PID 4956 wrote to memory of 5032	4956	cmd.exe	279
PID 4956 wrote to memory of 5032	4956	cmd.exe	279
PID 4956 wrote to memory of 5032	4956	cmd.exe	279
PID 3944 wrote to memory of 5024	3944	images.exe	280
PID 3944 wrote to memory of 5024	3944	images.exe	280
PID 3944 wrote to memory of 5024	3944	images.exe	280
PID 5024 wrote to memory of 5076	5024	cmd.exe	282
PID 5024 wrote to memory of 5076	5024	cmd.exe	282
PID 5024 wrote to memory of 5076	5024	cmd.exe	282
PID 3944 wrote to memory of 2132	3944	images.exe	283
PID 3944 wrote to memory of 2132	3944	images.exe	283
PID 3944 wrote to memory of 2132	3944	images.exe	283
PID 2132 wrote to memory of 1272	2132	cmd.exe	285
PID 2132 wrote to memory of 1272	2132	cmd.exe	285
PID 2132 wrote to memory of 1272	2132	cmd.exe	285
PID 3944 wrote to memory of 4224	3944	images.exe	286
PID 3944 wrote to memory of 4224	3944	images.exe	286
PID 3944 wrote to memory of 4224	3944	images.exe	286
PID 4224 wrote to memory of 4304	4224	cmd.exe	288
PID 4224 wrote to memory of 4304	4224	cmd.exe	288
PID 4224 wrote to memory of 4304	4224	cmd.exe	288
PID 3944 wrote to memory of 4260	3944	images.exe	289
PID 3944 wrote to memory of 4260	3944	images.exe	289
PID 3944 wrote to memory of 4260	3944	images.exe	289
PID 4260 wrote to memory of 4408	4260	cmd.exe	291
PID 4260 wrote to memory of 4408	4260	cmd.exe	291
PID 4260 wrote to memory of 4408	4260	cmd.exe	291
PID 3944 wrote to memory of 4364	3944	images.exe	292
PID 3944 wrote to memory of 4364	3944	images.exe	292
PID 3944 wrote to memory of 4364	3944	images.exe	292
PID 4364 wrote to memory of 4428	4364	cmd.exe	294
PID 4364 wrote to memory of 4428	4364	cmd.exe	294
PID 4364 wrote to memory of 4428	4364	cmd.exe	294
PID 3944 wrote to memory of 4432	3944	images.exe	295
PID 3944 wrote to memory of 4432	3944	images.exe	295
PID 3944 wrote to memory of 4432	3944	images.exe	295
PID 4432 wrote to memory of 4472	4432	cmd.exe	297
PID 4432 wrote to memory of 4472	4432	cmd.exe	297
PID 4432 wrote to memory of 4472	4432	cmd.exe	297
PID 3944 wrote to memory of 4600	3944	images.exe	298
PID 3944 wrote to memory of 4600	3944	images.exe	298
PID 3944 wrote to memory of 4600	3944	images.exe	298
PID 4600 wrote to memory of 4540	4600	cmd.exe	300
PID 4600 wrote to memory of 4540	4600	cmd.exe	300
PID 4600 wrote to memory of 4540	4600	cmd.exe	300
PID 3944 wrote to memory of 4676	3944	images.exe	301
PID 3944 wrote to memory of 4676	3944	images.exe	301
PID 3944 wrote to memory of 4676	3944	images.exe	301
PID 4676 wrote to memory of 4816	4676	cmd.exe	303
PID 4676 wrote to memory of 4816	4676	cmd.exe	303
PID 4676 wrote to memory of 4816	4676	cmd.exe	303
PID 3944 wrote to memory of 4756	3944	images.exe	304
PID 3944 wrote to memory of 4756	3944	images.exe	304
PID 3944 wrote to memory of 4756	3944	images.exe	304
PID 4756 wrote to memory of 4920	4756	cmd.exe	306
PID 4756 wrote to memory of 4920	4756	cmd.exe	306
PID 4756 wrote to memory of 4920	4756	cmd.exe	306
PID 3944 wrote to memory of 4824	3944	images.exe	307
PID 3944 wrote to memory of 4824	3944	images.exe	307
PID 3944 wrote to memory of 4824	3944	images.exe	307
PID 4824 wrote to memory of 4900	4824	cmd.exe	309
PID 4824 wrote to memory of 4900	4824	cmd.exe	309
PID 4824 wrote to memory of 4900	4824	cmd.exe	309
PID 3944 wrote to memory of 2156	3944	images.exe	310
PID 3944 wrote to memory of 2156	3944	images.exe	310
PID 3944 wrote to memory of 2156	3944	images.exe	310
PID 2156 wrote to memory of 5012	2156	cmd.exe	312
PID 2156 wrote to memory of 5012	2156	cmd.exe	312
PID 2156 wrote to memory of 5012	2156	cmd.exe	312
PID 3944 wrote to memory of 5092	3944	images.exe	313
PID 3944 wrote to memory of 5092	3944	images.exe	313
PID 3944 wrote to memory of 5092	3944	images.exe	313
PID 5092 wrote to memory of 4176	5092	cmd.exe	315
PID 5092 wrote to memory of 4176	5092	cmd.exe	315
PID 5092 wrote to memory of 4176	5092	cmd.exe	315
PID 3944 wrote to memory of 4136	3944	images.exe	316
PID 3944 wrote to memory of 4136	3944	images.exe	316
PID 3944 wrote to memory of 4136	3944	images.exe	316
PID 4136 wrote to memory of 2112	4136	cmd.exe	318
PID 4136 wrote to memory of 2112	4136	cmd.exe	318
PID 4136 wrote to memory of 2112	4136	cmd.exe	318
PID 3944 wrote to memory of 4240	3944	images.exe	319
PID 3944 wrote to memory of 4240	3944	images.exe	319
PID 3944 wrote to memory of 4240	3944	images.exe	319
PID 4240 wrote to memory of 4444	4240	cmd.exe	321
PID 4240 wrote to memory of 4444	4240	cmd.exe	321
PID 4240 wrote to memory of 4444	4240	cmd.exe	321
PID 3944 wrote to memory of 4312	3944	images.exe	322
PID 3944 wrote to memory of 4312	3944	images.exe	322
PID 3944 wrote to memory of 4312	3944	images.exe	322
PID 4312 wrote to memory of 4508	4312	cmd.exe	324
PID 4312 wrote to memory of 4508	4312	cmd.exe	324
PID 4312 wrote to memory of 4508	4312	cmd.exe	324
PID 3944 wrote to memory of 4480	3944	images.exe	325
PID 3944 wrote to memory of 4480	3944	images.exe	325
PID 3944 wrote to memory of 4480	3944	images.exe	325
PID 4480 wrote to memory of 4556	4480	cmd.exe	327
PID 4480 wrote to memory of 4556	4480	cmd.exe	327
PID 4480 wrote to memory of 4556	4480	cmd.exe	327
PID 3944 wrote to memory of 4696	3944	images.exe	328
PID 3944 wrote to memory of 4696	3944	images.exe	328
PID 3944 wrote to memory of 4696	3944	images.exe	328
PID 4696 wrote to memory of 4852	4696	cmd.exe	330
PID 4696 wrote to memory of 4852	4696	cmd.exe	330
PID 4696 wrote to memory of 4852	4696	cmd.exe	330
PID 3944 wrote to memory of 4716	3944	images.exe	331
PID 3944 wrote to memory of 4716	3944	images.exe	331
PID 3944 wrote to memory of 4716	3944	images.exe	331
PID 4716 wrote to memory of 4876	4716	cmd.exe	333
PID 4716 wrote to memory of 4876	4716	cmd.exe	333
PID 4716 wrote to memory of 4876	4716	cmd.exe	333
PID 3944 wrote to memory of 4924	3944	images.exe	334
PID 3944 wrote to memory of 4924	3944	images.exe	334
PID 3944 wrote to memory of 4924	3944	images.exe	334
PID 4924 wrote to memory of 992	4924	cmd.exe	336
PID 4924 wrote to memory of 992	4924	cmd.exe	336
PID 4924 wrote to memory of 992	4924	cmd.exe	336
PID 3944 wrote to memory of 748	3944	images.exe	337
PID 3944 wrote to memory of 748	3944	images.exe	337
PID 3944 wrote to memory of 748	3944	images.exe	337
PID 748 wrote to memory of 4888	748	cmd.exe	339
PID 748 wrote to memory of 4888	748	cmd.exe	339
PID 748 wrote to memory of 4888	748	cmd.exe	339
PID 3944 wrote to memory of 4996	3944	images.exe	340
PID 3944 wrote to memory of 4996	3944	images.exe	340
PID 3944 wrote to memory of 4996	3944	images.exe	340
PID 4996 wrote to memory of 4972	4996	cmd.exe	342
PID 4996 wrote to memory of 4972	4996	cmd.exe	342
PID 4996 wrote to memory of 4972	4996	cmd.exe	342
PID 3944 wrote to memory of 5104	3944	images.exe	343
PID 3944 wrote to memory of 5104	3944	images.exe	343
PID 3944 wrote to memory of 5104	3944	images.exe	343
PID 5104 wrote to memory of 5088	5104	cmd.exe	345
PID 5104 wrote to memory of 5088	5104	cmd.exe	345
PID 5104 wrote to memory of 5088	5104	cmd.exe	345
PID 3944 wrote to memory of 4276	3944	images.exe	346
PID 3944 wrote to memory of 4276	3944	images.exe	346
PID 3944 wrote to memory of 4276	3944	images.exe	346
PID 4276 wrote to memory of 4156	4276	cmd.exe	348
PID 4276 wrote to memory of 4156	4276	cmd.exe	348
PID 4276 wrote to memory of 4156	4276	cmd.exe	348
PID 3944 wrote to memory of 4328	3944	images.exe	349
PID 3944 wrote to memory of 4328	3944	images.exe	349
PID 3944 wrote to memory of 4328	3944	images.exe	349
PID 4328 wrote to memory of 4496	4328	cmd.exe	351
PID 4328 wrote to memory of 4496	4328	cmd.exe	351
PID 4328 wrote to memory of 4496	4328	cmd.exe	351
PID 3944 wrote to memory of 4352	3944	images.exe	352
PID 3944 wrote to memory of 4352	3944	images.exe	352
PID 3944 wrote to memory of 4352	3944	images.exe	352
PID 4352 wrote to memory of 4464	4352	cmd.exe	354
PID 4352 wrote to memory of 4464	4352	cmd.exe	354
PID 4352 wrote to memory of 4464	4352	cmd.exe	354
PID 3944 wrote to memory of 4588	3944	images.exe	355
PID 3944 wrote to memory of 4588	3944	images.exe	355
PID 3944 wrote to memory of 4588	3944	images.exe	355
PID 4588 wrote to memory of 4628	4588	cmd.exe	357
PID 4588 wrote to memory of 4628	4588	cmd.exe	357
PID 4588 wrote to memory of 4628	4588	cmd.exe	357
PID 3944 wrote to memory of 4712	3944	images.exe	358
PID 3944 wrote to memory of 4712	3944	images.exe	358
PID 3944 wrote to memory of 4712	3944	images.exe	358
PID 4712 wrote to memory of 4704	4712	cmd.exe	360
PID 4712 wrote to memory of 4704	4712	cmd.exe	360
PID 4712 wrote to memory of 4704	4712	cmd.exe	360
PID 3944 wrote to memory of 4080	3944	images.exe	361
PID 3944 wrote to memory of 4080	3944	images.exe	361
PID 3944 wrote to memory of 4080	3944	images.exe	361
PID 4080 wrote to memory of 2076	4080	cmd.exe	363
PID 4080 wrote to memory of 2076	4080	cmd.exe	363
PID 4080 wrote to memory of 2076	4080	cmd.exe	363
PID 3944 wrote to memory of 4892	3944	images.exe	364
PID 3944 wrote to memory of 4892	3944	images.exe	364
PID 3944 wrote to memory of 4892	3944	images.exe	364
PID 4892 wrote to memory of 5020	4892	cmd.exe	366
PID 4892 wrote to memory of 5020	4892	cmd.exe	366
PID 4892 wrote to memory of 5020	4892	cmd.exe	366
PID 3944 wrote to memory of 5108	3944	images.exe	367
PID 3944 wrote to memory of 5108	3944	images.exe	367
PID 3944 wrote to memory of 5108	3944	images.exe	367
PID 5108 wrote to memory of 4108	5108	cmd.exe	369
PID 5108 wrote to memory of 4108	5108	cmd.exe	369
PID 5108 wrote to memory of 4108	5108	cmd.exe	369

C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe
"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe" "C:\Users\Admin\AppData\Roaming\system\images.exe"
  2⤵
  PID:1044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\system\images.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Users\Admin\AppData\Roaming\system\images.exe
    "C:\Users\Admin\AppData\Roaming\system\images.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3672
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:988
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:692
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:792
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3668
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1704
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:796
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3424
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2096
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:416
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:372
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:808
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3396
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3784
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2328
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1420
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2520
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4040
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2144
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3488
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:976
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1320
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2500
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2564
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:728
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:3692
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2136
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1048
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1520
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1572
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:3656
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:980
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3600
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1392
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1268
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1640
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3140
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1120
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1424
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1784
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:560
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:3956
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2732
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2524
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1844
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1128
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1796
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:188
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4120
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4164
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4188
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4232
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4256
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4300
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4324
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4392
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4436
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4504
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4528
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4596
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4640
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4664
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4708
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4732
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4800
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4844
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4868
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4936
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:5004
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:5048
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:5072
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:5116
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2152
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4180
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4144
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4216
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4200
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4280
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4340
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4344
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4448
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4476
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4500
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4584
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4636
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4784
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4744
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4848
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4884
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4908
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4992
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4956
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:5032
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:5024
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:5076
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2132
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1272
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4224
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4304
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4260
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4408
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4364
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4432
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4600
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4676
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4756
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4824
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4900
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2156
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:5092
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4136
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2112
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4240
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4312
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4508
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4480
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4556
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4696
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4852
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4716
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4876
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4924
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:992
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:748
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4888
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4996
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4972
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:5104
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:5088
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4276
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4156
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4328
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4352
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4464
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4588
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:4628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4712
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4704
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4080
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:4892
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:5108
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1304-7-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/1304-6-0x00000000083A0000-0x00000000083A1000-memory.dmp

Filesize
4KB

Download
memory/1304-5-0x0000000007BE0000-0x0000000007BFF000-memory.dmp

Filesize
124KB

Download
memory/1304-1-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1304-0-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/1304-4-0x00000000055B0000-0x00000000055C7000-memory.dmp

Filesize
92KB

Download
memory/1304-3-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/2072-47-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/2072-29-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2072-39-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2072-32-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-50-0x0000000008FD0000-0x0000000008FD1000-memory.dmp

Filesize
4KB

Download
memory/2072-31-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3944-13-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/3944-23-0x0000000009720000-0x000000000972A000-memory.dmp

Filesize
40KB

Download
memory/3944-25-0x00000000098A0000-0x00000000098A1000-memory.dmp

Filesize
4KB

Download